ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual April 2013 202-10536-05 350 East Plumeria Drive San Jose, CA 95134 USA
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Support Thank you for selecting NETGEAR products. After installing your device, locate the serial number on the label of your product and use it to register your product at https://my.netgear.com. You must register your product before you can use NETGEAR telephone support. NETGEAR recommends registering your product through the NETGEAR website. For product updates and web support, visit http://support.netgear.com. Phone (US & Canada only): 1-888-NETGEAR.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 202-10536-03 1.0 November 2011 Incorporated nontechnical edits only (there are no feature changes). 202-10536-02 1.
Contents Chapter 1 Introduction What Is the ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308? . 12 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Quad-WAN Ports for Increased Reliability and Load Balancing. . . . . . . 13 Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . . 14 A Powerful, True Firewall with Content Filtering. . . . . . . . . . . . . . . . . . . 14 Security Features . . . . . . . . . . . . . . . . . . . . . .
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure a Static IPv6 Internet Connection. . . . . . . . . . . . . . . . . . . . . .58 Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . .61 Configure 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . .64 Configure ISATAP Automatic Tunneling. . . . . . . . . . . . . . . . . . . . . . . . .65 View the Tunnel Status and IPv6 Addresses . . . . . . . . . . . . . . . . . . . . .
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Inbound Rules (Port Forwarding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . . 147 Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .245 Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .246 User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 RADIUS Client and Server Configuration . . . . . . . . . . . . . . . . . . . . . . .247 Assign IPv4 Addresses to Remote Users (Mode Config). . . . . . . . . . . . .
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . . 318 Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . . 320 VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . .
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 Troubleshoot the Web Management Interface . . . . . . . . . . . . . . . . . . . . .394 When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .395 Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396 Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 DMZ to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 WAN to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 DMZ to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . .
1. 1 Introduction This chapter provides an overview of the features and capabilities of the ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 and explains how to log in to the device and use its web management interface.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 What Is the ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308? The ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308, hereafter referred to as the VPN firewall, connects your local area network (LAN) to the Internet through up to four external broadband access devices such as cable or DSL modems or satellite or wireless Internet dishes.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The VPN firewall provides the following key features and capabilities: • Four 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover protection of your Internet connection, providing increased data rate and increased system reliability. • Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for fast data transfer between local network resources and support for up to 200,000 internal or external connections.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Advanced VPN Support for Both IPSec and SSL The VPN firewall supports IPSec and SSL virtual private network (VPN) connections: • • IPSec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Security Features The VPN firewall is equipped with several features designed to maintain security: • Computers hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN. • Port forwarding with NAT.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • DNS proxy. When DHCP is enabled and no DNS addresses are specified, the VPN firewall provides its own address as a DNS server to the attached computers. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN. • PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. • Quality of Service (QoS).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall: • Flash memory for firmware upgrades. • Technical support seven days a week, 24 hours a day. Information about support is available on the NETGEAR website at http://support.netgear.com/app/answers/detail/a_id/212.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are described in the following table. DMZ LED Left WAN LEDs Left LAN LEDs Power LED Internet LEDs Right WAN LEDs Right LAN LEDs Test LED Figure 1. Table 1. LED descriptions LED Activity Description Power On (green) Power is supplied to the VPN firewall.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 1. LED descriptions (continued) LED Activity Description DMZ LED On (green) Port 4 operates as a dedicated hardware DMZ port. Off Port 4 operates as a normal LAN port. On (green) The WAN port has a valid connection with a device that provides an Internet connection. Blinking (green) The WAN port receives or transmits data. Off The WAN port has no physical link, that is, no Ethernet cable is plugged into the VPN firewall.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • Factory Defaults Reset button. Using a sharp object, press and hold this button for about 8 seconds until the front panel Test LED flashes to reset the VPN firewall to factory default settings. All configuration settings are lost, and the default password is restored. • AC power receptacle. Universal AC input (100–240 VAC, 50–60 Hz). • A power on/off switch.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the Rack-Mounting Kit Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the mounting brackets using the hardware that is supplied with the mounting kit. Figure 4. Before mounting the VPN firewall in a rack, verify that: • You have the correct screws (supplied with the installation kit). • The rack onto which you plan to mount the VPN firewall is suitably located.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall factory default IP address is 192.168.1.1. If you change the IP address, you need to use the IP address that you assigned to the VPN firewall to log in to the VPN firewall. Figure 5. Note: The first time that you remotely connect to the VPN firewall with a browser through an SSL connection, you might get a warning message regarding the SSL certificate. Follow the directions of your browser to accept the SSL certificate. 3.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 5. Click Login. The web management interface displays, showing the Router Status screen. The following figure shows the top part of the Router Status screen. For more information, see View the System Status on page 369. Note: After 5 minutes of inactivity (the default login time-out), you are automatically logged out. Figure 6.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The web management interface menu consists of the following components: • 1st level: Main navigation menu links. The main navigation menu in the orange bar across the top of the web management interface provides access to all the configuration functions of the VPN firewall, and remains constant. When you select a main navigation menu link, the letters are displayed in white against an orange background. • 2nd level: Configuration menu links.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 When a screen includes a table, table buttons display to let you configure the table entries. The nature of the screen determines which table buttons are shown. The following figure shows an example: Figure 9. Any of the following table buttons might display onscreen: • Select All. Select all entries in the table. • Delete. Delete the selected entry or entries from the table. • Enable. Enable the selected entry or entries in the table. • Disable.
2. IPv4 and IPv6 Internet and WAN Settings This chapter explains how to configure the IPv4 and IPv6 Internet and WAN settings.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Internet and WAN Configuration Tasks • Roadmap to Setting Up IPv4 Internet Connections to Your ISPs • Roadmap to Setting Up IPv6 Internet Connections to Your ISPs Typically, the VPN firewall is installed as a network gateway to function as a combined LAN switch and firewall to protect the network from incoming threats and provide secure connections.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 5. (Optional) Configure Dynamic DNS on the WAN interfaces. If necessary, configure your fully qualified domain names. This task is described in Configure Dynamic DNS on page 49. 6. (Optional) Configure the WAN options. If necessary, change the factory default MTU size, port speed, and MAC address of the VPN firewall. These are advanced features, and you usually do not need to change the settings.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 6. (Optional) Configure the WAN options. If necessary, change the factory default MTU size, port speed, and MAC address of the VPN firewall. These are advanced features, and you usually do not need to change the settings. These tasks are described in Configure Advanced WAN Options and Other Tasks on page 71.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • If your ISP has provided you with multiple public IP addresses, you can use one address as the primary shared address for Internet access by your computers, and you can map incoming traffic on the other public IP addresses to specific computers on your LAN. This one-to-one inbound mapping is configured using an inbound firewall rule. Classical Routing In classical routing mode, the VPN firewall performs routing, but without NAT.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. These settings apply to all WAN ports. Let the VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection To automatically configure a WAN port for an IPv4 connection to the Internet: 1. Select Network Configuration > WAN Settings > WAN Setup. In the upper right of the screen, the IPv4 radio button is selected by default. The WAN Setup screen displays the IPv4 settings: Figure 11.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 12. 3. Click the Auto Detect button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support. The autodetect process returns one of the following results: • If the autodetect process is successful, a status bar at the top of the screen displays the results (for example, DHCP service detected).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 2. IPv4 Internet connection methods Connection Method Manual Data Input Required • DHCP (Dynamic IP) No manual data input is required.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 13. The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet. If the configuration was not successful, skip ahead to Manually Configure an IPv4 Internet Connection on page 34, or see Troubleshoot the ISP Connection on page 396. Note: For more information about the Connection Status screen, see View the WAN Port Status on page 382.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The IPv4 WAN Settings table displays the following fields: • WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4). • Status. The status of the WAN interface (UP or DOWN). • WAN IP. The IPv4 address of the WAN interface. • Failure Detection Method. The failure detection method that is active for the WAN interface.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 16. 6. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as described in the following table: Table 3. PPTP and PPPoE settings Setting Description Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this radio button, and enter the following settings: Account Name Note: For login and password information, see Step 3 and Step 4.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 3. PPTP and PPPoE settings (continued) Setting Description Other (PPPoE) If you have installed login software, your connection type is PPPoE. Select this radio button, and enter the following settings: Note: For login Account Name and password information, see Step 3 and Step 4. Domain Name The valid account name for the PPPoE connection. The name of your ISP’s domain or your domain name if your ISP has assigned one.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the VPN firewall using DHCP network protocol.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 5. DNS server settings Setting Description Get Automatically from ISP If your ISP has not assigned any Domain Name Server (DNS) addresses, select the Get Automatically from ISP radio button. Use These DNS Servers If your ISP has assigned DNS addresses, select the Use These DNS Servers radio button. Make sure that you fill in valid DNS server IP addresses in the fields. Incorrect DNS entries might cause connectivity issues.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, you need to enter that address on the WAN Advanced Options screen for the WAN interface (see Configure Advanced WAN Options and Other Tasks on page 71).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Load Balancing Mode and Optional Protocol Binding for IPv4 Interfaces To use multiple ISP links simultaneously, configure load balancing. In load balancing mode, any WAN port carries any outbound protocol unless protocol binding is configured. When a protocol is bound to a particular WAN port, all outgoing traffic of that protocol is directed to the bound WAN port.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 b. From the corresponding drop-down list on the right, select one of the following load balancing methods: • Weighted LB. With weighted load balancing, balance weights are calculated based on WAN link speed and available WAN bandwidth. This is the default setting and most efficient load balancing algorithm. • Round-robin.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • Destination Network. The Internet locations (based on their IP address) or groups that are covered by the protocol binding rule. • Action. The Edit table button, which provides access to the Edit Protocol Binding screen for the corresponding service. 3. Click the Add table button below the Protocol Binding table. The Add Protocol Binding screen displays: Figure 22. 4.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 6. Add Protocol Binding screen settings (continued) Setting Description Destination Network The destination network settings determine which Internet locations (based on their IP address) are covered by the rule. Select one of the following options from the drop-down list: Any All Internet IP address. Single address In the Start IP field, enter the IP address to which the rule is applied.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Auto-Rollover Mode and Failure Detection Method for IPv4 Interfaces To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has already been configured. Then select the WAN interface that should function as the primary link for this mode, and configure the WAN failure detection method on the WAN Mode screen to support auto-rollover.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Load Balancing Settings section of the screen, configure the following settings: a. Select the Primary WAN Mode radio button. b. From the corresponding drop-down list on the right, select a WAN interface to function as the primary WAN interface. The other WAN interfaces become disabled. c. Select the Auto Rollover check box. d. From the corresponding drop-down list on the right, select a WAN interface to function as the backup WAN interface.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 7. Failure detection method settings Setting Description Failure Detection Method Select a failure detection method from the drop-down list: • WAN DNS. DNS queries are sent to the DNS server that is configured in the Domain Name Server (DNS) Servers section of the WAN ISP screen (see Manually Configure an IPv4 Internet Connection on page 34). • Custom DNS. DNS queries are sent to a DNS server that you need to specify in the DNS Server fields.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 After you have configured secondary WAN addresses, these addresses are displayed on the following firewall rule screens: • • In the WAN Destination IP Address drop-down lists of the following inbound firewall rule screens: - Add LAN WAN Inbound Service screen - Add DMZ WAN Inbound Service screen In the NAT IP drop-down lists of the following outbound firewall rule screens: - Add LAN WAN Outbound Service screen - Add DMZ WAN Outbound Service screen
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 25. The List of Secondary WAN addresses table displays the secondary LAN IP addresses added for the selected WAN interface. 4. In the Add WAN Secondary Addresses section of the screen, enter the following settings: • IP Address. Enter the secondary address that you want to assign to the WAN port. • Subnet Mask. Enter the subnet mask for the secondary IP address. 5.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 After you have configured your account information on the VPN firewall, when your ISP-assigned IP address changes, your VPN firewall automatically contacts your DDNS service provider, logs in to your account, and registers your new IP address.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 26. 3. Click the Information option arrow in the upper right of a DNS screen for registration information (for example, DynDNS Information). Figure 27. 4. Access the website of the DDNS service provider, and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 5. Configure the DDNS service settings as described in the following table: Table 8. DDNS service settings Setting Description WAN1 (... Status: ...) Select the Yes radio button to enable the DDNS service. The fields that display on the screen depend on the DDNS service provider that you have selected. Enter the following settings: Host and Domain Name The host and domain name for the DDNS service.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: You can configure only one WAN interface for IPv6. This restriction might be lifted in a later release. You can configure the other three WAN interfaces for IPv4. The nature of your IPv6 network determines how you need to configure the IPv6 Internet connections: • Native IPv6 network. Your network is a native IPv6 network if the VPN firewall has an IPv6 address and is connected to an IPv6 ISP and if your network consists of IPv6-only devices.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 These are the options: • IPv4-only mode. The VPN firewall communicates only with devices that have IPv4 addresses. • IPv4/IPv6 mode. The VPN firewall communicates with both devices that have IPv4 addresses and devices that have IPv6 addresses. Note: IPv6 always functions in classical routing mode between the WAN interface and the LAN interfaces; NAT does not apply to IPv6.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING: Changing the IP routing mode causes the VPN firewall to reboot. 3. Click Apply to save your changes. Use a DHCPv6 Server to Configure an IPv6 Internet Connection The VPN firewall can autoconfigure its ISP settings through a DHCPv6 server by using either stateless or stateful address autoconfiguration: • Stateless address autoconfiguration.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The IPv6 WAN Settings table displays the following fields: • WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4). • Status. The status of the WAN interface (UP or DOWN). • WAN IP. The IPv6 address of the WAN interface. • Action.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 6. As an optional step: If you have selected the Stateless Address Auto Configuration radio button, you can select the Prefix Delegation check box: • Prefix delegation check box is selected. A prefix is assigned by the ISP’s stateful DHCPv6 server through prefix delegation, for example, 2001:db8:: /64. The VPN firewall’s own stateless DHCPv6 server can assign this prefix to its IPv6 LAN clients.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure a Static IPv6 Internet Connection To configure a static IPv6 or PPPoE IPv6 Internet connection, you need to enter the IPv6 address information that you should have received from your ISP. To configure static IPv6 ISP settings for a WAN interface: 1. Select Network Configuration > WAN Settings > WAN Setup. 2. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen displays the IPv6 settings: Figure 32.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 33. 4. In the Internet Address section of the screen, from the IPv6 drop-down list, select Static IPv6. 5. In the Static IP Address section of the screen, enter the settings as described in the following table. You should have received static IPv6 address information from your IPv6 ISP: Table 9. WAN ISP IPv6 Settings screen settings for a static IPv6 address Setting Description IPv6 Address The IP address that your ISP assigned to you.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 6. Click Apply to save your changes. 7. Verify the connection: a. Select Network Configuration > WAN Settings > WAN Setup. b. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen displays the IPv6 settings (see Figure 32 on page 58). c. In the Action column, click the Status button of the WAN interface for which you want to display the Connection Status pop-up screen.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure a PPPoE IPv6 Internet Connection To configure a PPPoE IPv6 Internet connection, you need to enter the PPPoE IPv6 information that you should have received from your ISP. To configure PPPoE IPv6 ISP settings for a WAN interface: 1. Select Network Configuration > WAN Settings > WAN Setup. 2. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen displays the IPv6 settings: Figure 35.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 36. 4. In the Internet Address section of the screen, from the IPv6 drop-down list, select PPPoE. 5. In the PPPoE IPv6 section of the screen, enter the settings as described in the following table. You should have received PPPoE IPv6 information from your ISP: Table 10. WAN IPv6 ISP Settings screen settings for a PPPoE IPv6 connection Setting Description User Name The PPPoE user name that is provided by your ISP.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 10. WAN IPv6 ISP Settings screen settings for a PPPoE IPv6 connection (continued) Setting Description DHCPv6 Option From the DHCPv6 Option drop-down list, select one of the following DHCPv6 server options, as directed by your ISP: • Disable-DHCPv6. DHCPv6 is disabled. You need to specify the DNS servers in the Primary DNS Server and Secondary DNS Server fields in order to receive an IP address from the ISP. • DHCPv6 StatelessMode.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, you need to enter that address on the WAN Advanced Options screen for the corresponding WAN interface (see Configure Advanced WAN Options and Other Tasks on page 71).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 37. 2. Select the Enable Automatic Tunneling check box. 3. Click Apply to save your changes. Configure ISATAP Automatic Tunneling If your network is an IPv4 network or IPv6 network that consists of both IPv4 and IPv6 devices, you need to make sure that the IPv6 packets can travel over the IPv4 intranet by enabling and configuring Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunneling.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To configure an ISATAP tunnel: 1. Select Network Configuration > WAN Settings > ISATAP Tunnels. The ISATAP Tunnels screen displays. (The following figure shows some examples.) Figure 38. 2. Click the Add table button under the List of Available ISATAP Tunnels table. The Add ISATAP Tunnel screen displays: Figure 39. 3. Specify the tunnel settings as described in the following table. Table 11.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit an ISATAP tunnel: 1. On the ISATAP Tunnels screen, click the Edit button in the Action column for the tunnel that you want to modify. The Edit ISATAP Tunnel screen displays. This screen is identical to the Add ISATAP Tunnel screen. 2. Modify the settings as described in the previous table. 3. Click Apply to save your settings. To delete one or more tunnels: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 a.b.c.d for part of the IPv6 address so that the IPv4-translated address becomes 0::ffff:0:a.b.c.d/96. For SIIT to function, the routing mode needs to be IPv4 / IPv6. NETGEAR’s implementation of SIIT lets you enter a single IPv4 address on the SIIT screen. This IPv4 address is then used in the IPv4-translated address for IPv6 devices to enable communication between IPv4-only devices on the VPN firewall’s LAN and IPv6-only devices on the WAN.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has already been configured. Then select the WAN interface that should function as the primary link for this mode, and configure the WAN failure detection method on the WAN Mode screen to support auto-rollover.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Ensure that the backup WAN interface is configured before enabling auto-rollover mode. 3. Click Apply to save your settings. Configure the Failure Detection Method for IPv6 Interfaces To configure the failure detection method: 1. Select Network Configuration > WAN Settings > WAN Setup. 2. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen displays the IPv6 settings (See Figure 29 on page 55). 3.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The default time to roll over after the primary WAN interface has failed is 2 minutes. The minimum test period is 30 seconds, and the minimum number of tests is 2. 6. Click Apply to save your settings. You can configure the VPN firewall to generate a WAN status log and email this log to a specified address (see Configure Logging, Alerts, and Event Notifications on page 362).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 45. 3. Click the Advanced option arrow in the upper right of the screen. The WAN Advanced Options screen displays for the WAN interface that you selected. (The following figure shows the WAN2 Advanced Options screen as an example.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 46. 4. Enter the settings as described in the following table: Table 13. WAN Advanced Options screen settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value. For most Ethernet networks, this value is 1500 bytes, or 1492 bytes for PPPoE connections. Custom Select the Custom radio button, and enter an MTU value in the Bytes field.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 13. WAN Advanced Options screen settings (continued) Setting Description Speed In most cases, the VPN firewall can automatically determine the connection speed of the WAN port of the device (modem, dish, or router) that provides the WAN connection. If you cannot establish an Internet connection, you might need to manually select the port speed. If you know the Ethernet port speed of the modem, dish, or router, select it from the drop-down list.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 13. WAN Advanced Options screen settings (continued) Setting Description Failure Detection Method Note: This is the failure detection method for IPv4 interfaces. For information about failure detection for IPfv6 interfaces, see Configure the Failure Detection Method for IPv6 Interfaces on page 70. Failure Detection Method Select a failure detection method from the drop-down list: • WAN DNS.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING: Depending on the changes that you made, when you click Apply, the VPN firewall might restart, or services such as HTTP and SMTP might restart. If you want to configure the advanced settings for an additional WAN interface, select another WAN interface and repeat these steps. Configure WAN QoS Profiles The VPN firewall can support multiple Quality of Service (QoS) profiles for each WAN interface.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: To configure and apply QoS profiles successfully, familiarity with QoS concepts such QoS priority queues, IP precedence, DHCP, and their values is helpful. To enable and configure QoS for the WAN interfaces: 1. Select Network Configuration > QoS. The QoS screen displays. (The following screen shows some profiles in the List of QoS Profiles table). Figure 47. 2. To enable QoS, select the Yes radio button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • Hosts. The IP address, IP addresses, or group to which the rate control profile applies. (The information in this column does not apply to priority profiles). • Action. The Edit table button provides access to the Edit QoS screen for the corresponding profile. To add a rate control QoS profile: 1. Select Network Configuration > QoS. The QoS screen displays. 2. Under the List of QoS Profiles table, click the Add table button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 14. Add QoS screen settings for a rate control profile (continued) Setting Description Diffserv QoS Match Enter a DSCP value in the range of 0 through 63. Packets are classified against this value. Leave this field blank to disable packet matching.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 14. Add QoS screen settings for a rate control profile (continued) Setting Description Inbound Maximum Bandwidth Enter the inbound maximum bandwidth in Kbps that is allocated to the host. Diffserv QoS Remark Enter a DSCP value in the range of 0 through 63. Packets are marked with this value. Leave this field blank to disable packet marking. 4. Click Apply to save your settings.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 15. Add QoS screen settings for a priority profile (continued) Setting Description Service From the drop-down list, select a service or application to be covered by this profile. If the service or application does not appear in the list, you need to define it using the Services screen (see Add Customized Services on page 177). Direction From the drop-down list, select the direction to which the priority queue is applied: • Outbound Traffic.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit a QoS profile: 1. In the List of QoS Profiles table, click the Edit table button to the right of the profile that you want to edit. The Edit QoS screen displays. This screen shows the same fields as the Add QoS screen (see the previous two figures). 2. Modify the settings as described in the previous two tables. 3. Click Apply to save your settings. To delete a QoS profile: 1.
3. 3 LAN Configuration This chapter describes how to configure the LAN features of your VPN firewall.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage IPv4 Virtual LANs and DHCP Options • Port-Based VLANs • Assign and Manage VLAN Profiles • VLAN DHCP Options • Configure a VLAN Profile • Configure VLAN MAC Addresses and LAN Advanced Settings A local area network (LAN) can generally be defined as a broadcast domain. Hubs, bridges, or switches in the same physical segment or segments connect all end node devices. Endpoints can communicate with each other without the need for a router.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Port-Based VLANs The VPN firewall supports port-based VLANs. Port-based VLANs help to confine broadcast traffic to the LAN ports. Even though a LAN port can be a member of more than one VLAN, the port can have only one VLAN ID as its port VLAN identifier (PVID). By default, all four LAN ports of the VPN firewall are assigned to the default VLAN, or VLAN 1. Therefore, by default, all four LAN ports have the default PVID 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Assign and Manage VLAN Profiles To assign VLAN profiles to the LAN ports and manage VLAN profiles: 1. Select Network Configuration > LAN Setting. In the upper right of the screen, the IPv4 radio button is selected by default. The LAN submenu tabs display, with the LAN Setup screen in view, displaying the IPv4 settings. (The following figure contains some VLAN profiles as an example.) Figure 50.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 VLAN DHCP Options For each VLAN, you need to specify the Dynamic Host Configuration Protocol (DHCP) options (see Configure a VLAN Profile on page 88). The configuration of the DHCP options for the VPN firewall’s default VLAN, or VLAN 1, is described in Configure the IPv4 Internet Connection and WAN Settings on page 29. This section provides further information about the DHCP options.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 firewall’s LAN IP address). When the DNS proxy option is disabled for a VLAN, all DHCP clients receive the DNS IP addresses of the ISP but without the DNS proxy IP address. LDAP Server A Lightweight Directory Access Protocol (LDAP) server allows a user to query and modify directory services that run over TCP/IP. For example, clients can query email addresses, contact information, and other service information using an LDAP server.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 52. 3. Enter the settings as described in the following table: Table 16. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number. Note: You can enter VLAN IDs from 2 to 4089. VLAN ID 1 is reserved for the default VLAN; VLAN ID 4094 is reserved for the DMZ interface.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 16. Add VLAN Profile screen settings (continued) Setting Description Port Membership Port 1, Port 2, Port 3, Port 4 / DMZ Select one, several, or all port check boxes to make the ports members of this VLAN. Note: A port that is defined as a member of a VLAN profile can send and receive data frames that are tagged with the VLAN ID. IP Setup IP Address Enter the IP address of the VPN firewall (the factory default address is 192.168.1.1).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 16. Add VLAN Profile screen settings (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the VPN firewall to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN. (For the default VLAN, the DHCP server is enabled by default.) Enter the following settings: DHCP Relay Domain Name This setting is optional.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 16. Add VLAN Profile screen settings (continued) Setting Description Enable LDAP information To enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information, select the Enable LDAP information check box. Enter the following settings: LDAP Server The IP address or name of the LDAP server. Search Base The search objects that specify the location in the directory tree from which the LDAP search begins.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit a VLAN profile: 1. On the LAN Setup screen for IPv4 (see Figure 51 on page 88), click the Edit button in the Action column for the VLAN profile that you want to modify. The Edit VLAN Profile screen displays. This screen is identical to the Add VLAN Profile screen (see Figure 52 on page 89). 2. Modify the settings as described in the previous table. 3. Click Apply to save your settings.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 53. 3. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) 4. As an option, you can disable the broadcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box. (The broadcast of ARP packets is enabled by default for the default VLAN.) 5. Click Apply to save your settings.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The following is an example of correctly configured IPv4 addresses: • WAN IP address. 10.0.0.1 with subnet 255.0.0.0 • DMZ IP address. 176.16.2.1 with subnet 255.255.255.0 • Primary LAN IP address. 192.168.1.1 with subnet 255.255.255.0 • Secondary LAN IP address. 192.168.20.1 with subnet 255.255.255.0 To add a secondary LAN IPv4 address: 1. Select Network Configuration > LAN Settings > LAN Multi-homing.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Modify the IP address or subnet mask, or both. 3. Click Apply to save your settings. To delete one or more secondary LAN IP addresses: 1. On the LAN Multi-homing screen for IPv4 (see the previous figure), select the check box to the left of each secondary IP address that you want to delete, or click the Select All table button to select secondary IP addresses. 2. Click the Delete table button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • There is no need to reserve an IP address for a computer in the DHCP server. All IP address assignments made by the DHCP server are maintained until the computer or device is removed from the network database, either by expiration (inactive for a long time) or by you. • There is no need to use a fixed IP address on a computer.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The Known PCs and Devices table lists the entries in the network database. For each computer or device, the following fields display: • Check box. Allows you to select the computer or device in the table. • Name. The name of the computer or device. For computers that do not support the NetBIOS protocol, the name is displayed as Unknown (you can edit the entry manually to add a meaningful name).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 17. Add Known PCs and Devices section settings (continued) Setting Description IP Address Enter the IP address that this computer or device is assigned to: • If the IP address type is Fixed (set on PC), the IP address needs to be outside of the address range that is allocated to the DHCP server pool to prevent the IP address from also being allocated by the DHCP server.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 56. 2. Modify the settings as described in Table 17 on page 98. 3. Click Apply to save your settings in the Known PCs and Devices table. Deleting Computers or Devices from the Network Database To delete one or more computers or devices from the network database: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 57. 3. Select the radio button next to the group name that you want to change. 4. Type a new name in the field. The maximum number of characters is 15. Do not use a double quote (''), single quote('), or space in the name. 5. Click Apply to save your settings. Note: You can change only one group name at a time.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The saved binding is also displayed on the IP/MAC Binding screen (see Figure 116 on page 193). Manage the IPv6 LAN • DHCPv6 Server Options • Configure the IPv6 LAN • Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN An IPv6 LAN typically functions with site-local and link-local unicast addresses.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 DHCPv6 Server Options The IPv6 clients in the LAN can autoconfigure their own IPv6 address or obtain an IPv6 address through a DHCPv6 server. For the LAN, there are three DHCPv6 options: Stateless DHCPv6 Server The IPv6 clients in the LAN generate their own IP address by using a combination of locally available information and router advertisements, but receive DNS server information from the DHCPv6 server.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Stateful DHCPv6 Server The IPv6 clients in the LAN obtain an interface IP address, configuration information such as DNS server information, and other parameters from the DHCPv6 server. The IP address is a dynamic address. For stateful DHCPv6, you need to configure IPv6 address pools (see IPv6 LAN Address Pools on page 106). Configure the IPv6 LAN To configure the IPv6 LAN settings: 1. Select Network Configuration > LAN Settings. 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as described in the following table. The IPv6 address pools and prefixes for prefix delegation are described in the sections following the table. Table 18. LAN Setup screen settings for IPv6 Setting Description IPv6 LAN Setup IPv6 Address Enter the LAN IPv6 address. The default address is fec0::1.(For more information, see the introduction to this section, Manage the IPv6 LAN.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 18. LAN Setup screen settings for IPv6 (continued) Setting Description DHCP Status (continued) Server Preference Enter the DHCP server preference value. The possible values are 0–255, with 255 as the default setting. This is an optional setting that specifies the server’s preference value in a server advertise message. The client selects the server with the highest preference value as the preferred server.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 59. 2. Enter the settings as described in the following table: Table 19. LAN IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCPv6 client joining the LAN is assigned an IP address between this address and the end IP address. End IPv6 Address Enter the end IP address.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Delegation table to enable the DHCPv6 server to assign these prefixes to its IPv6 LAN clients. To add an IPv6 prefix: 1. On the LAN Setup screen for IPv6, under the List of Prefixes for Prefix Delegation table, click Add. The Add Prefix Delegation Prefixes screen displays: Figure 60. 2. Enter the following settings: • IPv6 Prefix. Enter a prefix, for example, 2001:db8::. • IPv6 Prefix Length. Enter the IPv6 prefix length, for example, 64. 3.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN Note: If you do not configure stateful DHCPv6 for the LAN but use stateless DHCPv6, you need to configure the Router Advertisement Deamon (RADVD) and advertisement prefixes. The RADVD is an application that uses the Neighbor Discovery Protocol (NDP) to collect link-local advertisements of IPv6 addresses and IPv6 prefixes in the LAN.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To configure the Router Advertisement Daemon for the LAN: 1. Select Network Configuration > LAN Settings. 2. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings (see Figure 58 on page 104.) 3. To the right of the LAN Setup tab, click the RADVD option arrow. The RADVD screen for the LAN displays. (The following figure contains some examples.) Figure 61. 4.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 21. RADVD screen settings for the LAN (continued) Setting Description RA Flags Specify what type of information the DHCPv6 server provides in the LAN by making a selection from the drop-down list: • Managed. The DHCPv6 server is used for autoconfiguration of the IP address. • Other.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 62. 2. Enter the settings as described in the following table: Table 22. Add Advertise Prefixes screen settings for the LAN Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: • 6to4. The prefix is for a 6to4 address. You need to select a WAN interface from the 6to4Interface drop-down list, and complete the SLA ID field and Prefix Lifetime field. The other fields are masked out.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. To delete one or more advertisement prefixes: 1. On the RADVD screen for the LAN (see Figure 61 on page 110), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes. 2. Click the Delete table button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. In the Add Secondary LAN IP Address section of the screen, enter the following settings: • IPv6 Address. Enter the secondary address that you want to assign to the LAN ports. • Prefix Length. Enter the prefix length for the secondary IP address. 4. Click the Add table button in the rightmost column to add the secondary IP address to the Available Secondary LAN IPs table.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 By default, the DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports. Using a DMZ port is also helpful with online games and videoconferencing applications that are incompatible with NAT.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 64. 2. Enter the settings as described in the following table: Table 23. DMZ Setup screen settings for IPv4 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields. • No. Allows you to disable the DMZ port after you have configured it. IP Address Enter the IP address of the DMZ port.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 23. DMZ Setup screen settings for IPv4 (continued) Setting Description DHCP for DMZ Connected Computers Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you intend to manually configure the network settings of all of your computers, select the Disable DHCP Server radio button to disable the DHCP server. This is the default setting.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 23. DMZ Setup screen settings for IPv4 (continued) Setting Description Enable LDAP information To enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information, select the Enable LDAP information check box. Enter the following settings. LDAP Server The IP address or name of the LDAP server. Search Base The search objects that specify the location in the directory tree from which the LDAP search begins.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 For the DMZ, there are two DHCPv6 server options: • Stateless DHCPv6 server. The IPv6 clients in the DMZ generate their own IP address by using a combination of locally available information and router advertisements, but receive DNS server information from the DHCPv6 server.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as described in the following table: Table 24. DMZ Setup screen settings for IPv6 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields. • No. Allows you to disable the DMZ port after you have configured it. IPv6 Address Enter the IP address of the DMZ port.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 24. DMZ Setup screen settings for IPv6 (continued) Setting Description DHCP Status (continued) DNS Server Select one of the DNS server options from the drop-down lists: • Use DNS Proxy. The VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers that you configured on the WAN IPv6 ISP Settings screen (see Configure a Static IPv6 Internet Connection on page 58). • Use DNS from ISP.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as described in the following table: Table 25. DMZ IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCPv6 client joining the DMZ is assigned an IP address between this address and the end IP address. End IPv6 Address Enter the end IP address.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Hosts and routers in the LAN use NDP to determine the link-layer addresses and related information of neighbors in the LAN that can forward packets on their behalf. The VPN firewall periodically distributes router advertisements (RAs) throughout the DMZ to provide such information to the hosts and routers in the DMZ. RAs include IPv6 addresses, types of prefixes, prefix addresses, prefix lifetimes, the maximum transmission unit (MTU), and so on.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 67. 4. Enter the settings as described in the following table: Table 27. RADVD screen settings for the DMZ Setting Description RADVD Status Specify the RADVD status by making a selection from the drop-down list: • Enable. The RADVD is enabled, and the RADVD fields become available for you to configure. • Disable. The RADVD is disabled, and the RADVD fields are masked out. This is the default setting.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 27. RADVD screen settings for the DMZ (continued) Setting Description RA Flags Specify what type of information the DHCPv6 server provides in the DMZ by making a selection from the drop-down list: • Managed. The DHCPv6 server is used for autoconfiguration of the IP address. • Other.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 68. 2. Enter the settings as described in the following table: Table 28. Add Advertisement Prefix screen settings for the DMZ Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: • 6to4. The prefix is for a 6to4 address. You need to select a WAN interface from the 6to4Interface drop-down list, and complete the SLA ID field and Prefix Lifetime field. The other fields are masked out.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. To delete one or more advertisement prefixes: 1. On the RADVD screen for the DMZ screen (see Figure 67 on page 124), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes. 2. Click the Delete table button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Click the Add table button under the Static Routes table. The Add Static Route screen displays: Figure 70. 3. Enter the settings as described in the following table: Table 29. Add Static Route screen settings for IPv4 Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 displays. This screen is identical to the Add Static Route screen (see the previous figure). 2. Modify the settings as described in the previous table. 3. Click Apply to save your settings. To delete one or more routes: 1. On the Static Routing screen for IPv4 (see Figure 69 on page 127), select the check box to the left of each route that you want to delete, or click the Select All table button to select all routes. 2. Click the Delete table button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as described in the following table: Table 30. RIP Configuration screen settings Setting Description RIP RIP Direction From the RIP Direction drop-down list, select the direction in which the VPN firewall sends and receives RIP packets: • None. The VPN firewall neither advertises its route table, nor accepts any RIP packets from other routers. This effectively disables RIP, and is the default setting. • In Only.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 30. RIP Configuration screen settings (continued) Setting Description Authentication for RIP-2B/2M required? (continued) Not Valid Before The beginning of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second. Before this date and time, the MD5 key is not valid. Not Valid After The end of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage Static IPv6 Routing NETGEAR’s implementation of IPv6 does not support RIP next generation (RIPng) to exchange routing information, and dynamic changes to IPv6 routes are not possible. To enable routers to exchange information over a static IPv6 route, you need to manually configure the static route information on each router. To add an IPv6 static route to the Static Route table: 1. Select Network Configuration > Routing. 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Enter the settings as described in the following table: Table 31. Add IPv6 Static Routing screen settings Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box. Note: A route can be added to the table and made inactive if not needed. This allows you to use routes as needed without deleting and re-adding the entry.
4. 4 Firewall Protection This chapter describes how to use the firewall features of the VPN firewall to protect your network.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 About Firewall Protection A firewall protects one network (the trusted network, such as your LAN) from another (the untrusted network, such as the Internet), while allowing communication between the two. You can further segment keyword blocking to certain known groups. For information about how to set up LAN groups, see Manage IPv4 Groups and Hosts (IPv4 LAN Groups) on page 96.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Overview of Rules to Block or Allow Specific Kinds of Traffic • Outbound Rules (Service Blocking) • Inbound Rules (Port Forwarding) • Order of Precedence for Rules Firewall rules are used to block or allow specific traffic passing through from one side to the other. You can configure up to 600 firewall rules on the VPN firewall (see the following table).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • Bandwidth profiles. After you have a configured a bandwidth profile (see Create Bandwidth Profiles on page 181), you can assign it to a rule. Outbound Rules (Service Blocking) The VPN firewall allows you to block the use of certain Internet services by computers on your network. This is called service blocking or port filtering.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 33. Outbound rules overview (continued) Setting Description Outbound Rules Select Schedule The time schedule (that is, Schedule1, Schedule2, or Schedule3) that is used by this rule. • This drop-down list is activated only when BLOCK by schedule, otherwise allow or ALLOW by schedule, otherwise block is selected as the action.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 33. Outbound rules overview (continued) Setting Description Outbound Rules QoS Profile or QoS Priority The priority assigned to IP packets of this service. The priorities are defined by Type of Service in the Internet Protocol Suite standards, RFC 1349. The QoS profile determines the priority of a service, which, in turn, determines the quality of that service for the traffic passing through the firewall.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Inbound Rules (Port Forwarding) If you have enabled Network Address Translation (NAT), your network presents one IP address only to the Internet, and outside users cannot directly access any of your local computers (LAN users). (For information about configuring NAT, see Network Address Translation on page 29.) However, by defining an inbound rule you can make a local server (for example, a web server or game server) visible and available to the Internet.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: When the Block TCP Flood and Block UDP Flood check boxes are selected on the Attack Checks screen (which they are by default; see Attack Checks on page 170), multiple concurrent connections of the same application from one host or IP address (such as multiple DNS queries from one computer) trigger the VPN firewall’s DoS protection.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 34. Inbound rules overview (continued) Setting Description Inbound Rules Send to LAN Server IPv4 LAN WAN rules The LAN server address determines which computer on your network is hosting this service rule. (You can also translate this address to a port number.) The options are: • Single address. Enter the required address in the Start field to apply the rule to a single device on your LAN. • Address range.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 34. Inbound rules overview (continued) Setting Description Inbound Rules WAN Users The settings that determine which Internet locations are covered LAN WAN rules by the rule, based on their IP address. The options are: DMZ WAN rules • Any. All Internet IP addresses are covered by this rule. • Single address. Enter the required address in the Start field. • Address range. Enter the required addresses in the Start and Finish fields. • IP Group.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 34. Inbound rules overview (continued) Setting Description Inbound Rules Bandwidth Profile Bandwidth limiting determines how the data is sent to and from IPv4 LAN WAN rules your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic, thus preventing the LAN users from consuming all the bandwidth of the Internet link. For more information, see Create Bandwidth Profiles on page 181.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Outbound Services and Inbound Services tables, beginning at the top of each table and proceeding to the bottom of each table. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. • Down. Moves the rule down one position in the table rank. • Edit. Lets you change the definition of an existing rule.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To enable, disable, or delete one or more IPv4 or IPv6 rules: 1. Select the check box to the left of each rule that you want to enable, disable, or delete, or click the Select All table button to select all rules. 2. Click one of the following table buttons: • Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a green circle, indicating that the selected rule or rules are enabled.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 77. 2. Enter the settings as described in Table 33 on page 137.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 78. 3. Enter the settings as described in Table 33 on page 137. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LAN Users • WAN Users Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down lists: • Select Schedule • QoS Priority 4. Click Apply to save your changes.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv4 LAN WAN Inbound Service Rules To create an IPv4 LAN WAN inbound rule: 1. In the upper right of the LAN WAN Rules screen, the IPv4 radio button is selected by default. The screen displays the IPv4 settings (see Figure 75 on page 145). Click the Add table button under the Inbound Services table. The Add LAN WAN Inbound Service screen for IPv4 displays: Figure 79. 2. Enter the settings as described in Table 34 on page 141.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The following configurations are optional: • Translate to Port Number • QoS Profile • Bandwidth Profile 3. Click Apply to save your changes. The new rule is now added to the Inbound Services table. IPv6 LAN WAN Inbound Rules To create an IPv6 LAN WAN inbound rule: 1. In the upper right of the LAN WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 76 on page 146). 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure DMZ WAN Rules • Create DMZ WAN Outbound Service Rules • Create LAN WAN Inbound Service Rules The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ WAN Rules screen. The default outbound policy is to block all traffic from and to the Internet.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. • Down. Moves the rule down one position in the table rank. • Edit. Lets you change the definition of an existing rule.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To enable, disable, or delete one or more IPv4 or IPv6 rules: 1. Select the check box to the left of each rule that you want to enable, disable, or delete, or click the Select All table button to select all rules. 2. Click one of the following table buttons: • Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a green circle, indicating that the selected rule or rules are enabled.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as described in Table 33 on page 137. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • DMZ Users • WAN Users Unless your selection from the Action drop-down list is BLOCK always, you also need to make selections from the following drop-down lists: • Select Schedule • NAT IP (This drop-down list is available only when the WAN mode is NAT.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Unless your selection from the Action drop-down list is BLOCK always, you also need to make selections from the following drop-down lists: • Select Schedule • QoS Priority 4. Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled. Create DMZ WAN Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as described in Table 34 on page 141. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • WAN Destination IP Address • DMZ Users (This drop-down list is available only when the WAN mode is Classical Routing. When the WAN mode is NAT, your network presents only one IP address to the Internet.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Unless your selection from the Action drop-down list is BLOCK always, you also need to make selections from the following drop-down list: • Select Schedule 4. Click Apply to save your changes. The new rule is now added to the Inbound Services table.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. • Down. Moves the rule down one position in the table rank. • Edit. Lets you change the definition of an existing rule.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Click one of the following table buttons: • Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a green circle, indicating that the selected rule or rules are enabled. (By default, when a rule is added to the table, it is automatically enabled.) • Disable. Disables the rule or rules. The ! status icon changes from a green circle to a gray circle, indicating that the selected rule or rules are disabled. • Delete.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule 3. Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled. IPv6 LAN DMZ Outbound Service Rules To create an IPv6 LAN DMZ outbound rule: 1. In the upper right of the LAN DMZ Rules screen, select the IPv6 radio button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Create LAN DMZ Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the LAN to the DMZ) is blocked. IPv4 LAN DMZ Inbound Service Rules To create an IPv4 LAN DMZ inbound rule: 1. In the upper right of the LAN DMZ Rules screen, the IPv4 radio button is selected by default.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv6 LAN DMZ Inbound Service Rules To create an IPv6 LAN DMZ inbound rule: 1. In the upper right of the LAN DMZ Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 88 on page 159). 2. Click the Add table button under the Inbound Services table. The Add LAN DMZ Inbound Service screen for IPv6 displays: Figure 92. 3. Enter the settings as described in Table 34 on page 141.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Examples of Firewall Rules • Examples of Inbound Firewall Rules • Examples of Outbound Firewall Rules Examples of Inbound Firewall Rules IPv4 LAN WAN Inbound Rule: Host a Local Public Web Server If you host a public web server on your local network, you can define a rule to allow inbound web (HTTP) requests from any outside IP address to the IP address of your web server at any time of the day. Figure 93.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 94. IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Set Up One-to-One NAT Mapping In this example, multi-NAT is configured to support multiple public IP addresses on one WAN interface. An inbound rule configures the VPN firewall to host an additional public IP address and associate this address with a web server on the LAN. The following addressing scheme is used to illustrate this procedure: • • NETGEAR VPN firewall: - WAN IP address. 10.1.0.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN computers through NAT. The other addresses are available to map to your servers. To configure the VPN firewall for additional IP addresses: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 this address on the WAN2 Secondary Addresses screen (see Configure Secondary WAN Addresses on page 47) before you can select it from the WAN Destination IP Address drop-down list. 8. Click Apply to save your settings. The rule is now added to the Inbound Services table of the LAN WAN Rules screen.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 98. IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet If you want to allow a group of DMZ users to access a particular FTP site on the Internet during working hours, you can create an outbound rule to allow such traffic by specifying the IPv6 DMZ start and finish addresses and the IPv6 WAN address. On the Schedule screen, create a schedule that specifies working hours, and assign it to the rule.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Other Firewall Features • Attack Checks • Set Limits for IPv4 Sessions • Configure Multicast Pass-Through for IPv4 Traffic • Manage the Application Level Gateway for SIP Sessions You can configure attack checks, set session limits, configure multicast pass-through, and manage the application level gateway (ALG) for SIP sessions.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as described in the following table: Table 35. Attack Checks screen settings for IPv4 Setting Description WAN Security Checks Respond to Ping on Internet Ports Select the Respond to Ping on Internet Ports check box to enable the VPN firewall to respond to a ping from the Internet to its IPv4 address. A ping can be used as a diagnostic tool.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 35. Attack Checks screen settings for IPv4 (continued) Setting Description VPN Pass through IPSec PPTP L2TP When the VPN firewall functions in NAT mode, all packets going to the remote VPN gateway are first filtered through NAT and then encrypted according to the VPN policy.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Set Limits for IPv4 Sessions The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IPv4 connection across the VPN firewall. The session limits feature is disabled by default. To enable and configure session limits: 1. Select Security > Firewall > Session Limit. The Session Limit screen displays: Figure 102. 2. Select the Yes radio button under Do you want to enable Session Limit? 3.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 36. Session Limit screen settings (continued) Setting Description User Limit Parameter From the User Limit Parameter drop-down list, select one of the following options: • Percentage of Max Sessions. A percentage of the total session connection capacity of the VPN firewall. • Number of Sessions. An absolute number of maximum sessions. User Limit Enter a number to indicate the user limit.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 103. 2. In the Multicast Pass through section of the screen, select the Yes radio button to enable multicast pass-through. (By default, the Yes radio button is selected and multicast pass-through is enabled.) When you enable multicast pass-through, an Internet Group Management Protocol (IGMP) proxy is enabled for the upstream (WAN) and downstream (LAN) interfaces.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete one or more multicast source addresses: 1. In the Alternate Networks table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses. 2. Click the Delete table button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • QoS profiles and priorities. A Quality of Service (QoS) profile defines the relative priority of an IP packet for traffic that matches the firewall rule. For information about creating QoS profiles for IPv4 firewall rules, see Create Quality of Service Profiles for IPv4 Firewall Rules on page 184.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 105. 2. In the Add Customer Service section of the screen, enter the settings as described in the following table: Table 37. Services screen settings Setting Description Name A descriptive name of the service for identification and management purposes.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 106. 2. Modify the settings that you wish to change (see the previous table). 3. Click Apply to save your changes. The modified service is displayed in the Custom Services table. To delete one or more services: 1. In the Custom Services table, select the check box to the left of each service that you want to delete, or click the Select All table button to select all services. 2. Click the Delete table button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Add New Custom IP Group section of the screen, do the following: • In the IP Group Name field, enter a name for the group. • From the IP Group Type drop-down list, select LAN Group or WAN Group. 3. Click Apply to save your changes. The new IP group is displayed in the Custom IP Groups Table. 4. In the Custom IP Groups Table, click the Edit table button to the right of the IP group that you just created. The Edit IP Group screen displays.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete an IP group: 1. In the Custom IP Groups table, select the check box to the left of the IP group that you want to delete, or click the Select All table button to select all groups. 2. Click the Delete table button. Create Bandwidth Profiles Bandwidth profiles determine how data is communicated with the hosts.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 109. 2. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth Profile screen displays: Figure 110. 3. Enter the settings as described in the following table: Table 38. Add Bandwidth Profile screen settings Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add Bandwidth Profile screen settings (continued) Setting Description Inbound Minimum Bandwidth The inbound minimum allocated bandwidth in Kbps. There is no default setting. Inbound Maximum Bandwidth The inbound maximum allowed bandwidth in Kbps. The maximum allowable bandwidth is 100,000 Kbps, and you cannot configure less than 100 Kbps. There is no default setting.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Create Quality of Service Profiles for IPv4 Firewall Rules A Quality of Service (QoS) profile defines the relative priority of an IP packet when multiple connections are scheduled for simultaneous transmission on the VPN firewall. A QoS profile becomes active only when it is associated with a nonblocking inbound or outbound firewall rule or service, and traffic matching the firewall rule or service is processed by the VPN firewall.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 112. 3. Enter the settings as described in the following table. Table 39. Add QoS Profile screen settings Setting Description Profile Name A descriptive name of the QoS profile for identification and management purposes. Re-Mark Select the Re-Mark check box to set the Differentiated Services (DiffServ) mark in the Type of Service (ToS) byte of an IP header by specifying the QoS type (IP precedence or DHCP) and QoS value.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit a QoS profile: 1. In the List of QoS Profiles table, click the Edit table button to the right of the QoS profile that you want to edit. The Edit QoS Profile screen displays. 2. Modify the settings that you wish to change (see the previous table). 3. Click Apply to save your changes. The modified QoS profile is displayed in the List of QoS Profiles table. To delete a QoS profile: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Several types of blocking are available: • Web component blocking. You can block the following web component types: proxy, Java, ActiveX, and cookies. Even sites that are listed in the Trusted Domains table are subject to web component blocking when the blocking of a particular web component is enabled. - Proxy.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • If the keyword “.com” is specified, only websites with other domain suffixes (such as .edu, .org, or .gov) can be viewed. • If you wish to block all Internet browsing access, enter . (period) as the keyword. To enable and configure content filtering: 1. Select Security > Content Filtering. The Block Sites screen displays. (The following figure shows some examples.) Figure 113. 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. In the Web Components section of the screen, select the components that you want to block (by default, none of these components are blocked, that is, none of these check boxes are selected): • Proxy. Blocks proxy servers. • Java. Blocks Java applets from being downloaded. • ActiveX. Blocks ActiveX applets from being downloaded. • Cookies. Blocks cookies from being created by a website.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To set a schedule: 1. Select Security > Services > Schedule 1. The Schedule 1 screen displays: Figure 114. 2. In the Scheduled Days section, select one of the following radio buttons: • All Days. The schedule is in effect all days of the week. • Specific Days. The schedule is in effect only on specific days. To the right of the radio buttons, select the check box for each day that you want the schedule to be in effect. 3.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For additional ways of restricting outbound traffic, see Outbound Rules (Service Blocking) on page 137. To enable MAC filtering and add MAC addresses to be permitted or blocked: 1. Select Security > Address Filter. The Address Filter submenu tabs display, with the Source MAC Filter screen in view. (The following figure shows one address in the MAC Addresses table as an example.) Figure 115. 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING: If you select Permit and Block the rest from the drop-down list but do not add the MAC address of the computer from which you are accessing the web management interface, you are locked out of the web management interface. 6. Click the Add table button. The MAC address is added to the MAC Addresses table. 7. Repeat the previous two steps to add more MAC addresses to the MAC Addresses table. To remove one or more MAC addresses from the table: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • Host 2 has changed its MAC address to 00:01:02:03:04:09. The packet has an IP address that matches the IP address in the IP/MAC Bindings table but a MAC address that does not match the MAC address in the IP/MAC Bindings table. • Host 3 has changed its IP address to 192.168.10.15. The packet has a MAC address that matches the MAC address in the IP/MAC Bindings table but an IP address that does not match the IP address in the IP/MAC Bindings table.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 4. In the IP/MAC Bindings sections of the screen, enter the settings as described in the following table: Table 40. IP/MAC Binding screen settings for IPv4 Setting Description Name A descriptive name of the binding for identification and management purposes. MAC Address The MAC address of the computer or device that is bound to the IP address. IP Address The IPv4 address of the computer or device that is bound to the MAC address.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Click the Set Interval button. Wait for the confirmation that the operation has succeeded before you close the window. IPv6/MAC Bindings To set up a binding between a MAC address and an IPv6 address: 1. Select Security > Address Filter > IP/MAC Binding. 2. In the upper right of the screen, select the IPv6 radio button. The IP/MAC Binding screen displays the IPv6 settings.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 41. IP/MAC Binding screen settings for IPv6 (continued) Setting Description IP Address The IPv6 address of the computer or device that is bound to the MAC address. Log Dropped Packets To log the dropped packets, select Enable from the drop-down list. The default setting is Disable. 6. Click the Add table button. The new IP/MAC rule is added to the IP/MAC Bindings table. To edit an IP/MAC binding: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using the port triggering feature requires that you know the port numbers used by the application. Note: Port triggering is supported for IPv4 devices only. Once configured, port triggering operates as follows: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 120. 2. In the Add Port Triggering Rule section, enter the settings as described in the following table: Table 42. Port Triggering screen settings Setting Description Name A descriptive name of the rule for identification and management purposes. Enable From the drop-down list, select Yes to enable the rule. (You can define a rule but not enable it.) The default setting is No.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To remove one or more port triggering rules from the table: 1. Select the check box to the left of each port triggering rule that you want to delete, or click the Select All table button to select all rules. 2. Click the Delete table button. To display the status of the port triggering rules: Click the Status option arrow in the upper right of the Port Triggering screen. A pop-up screen displays, showing the status of the port triggering rules.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The UPnP Portmap Table in the lower part of the screen shows the IP addresses and other settings of UPnP devices that have accessed the VPN firewall and that have been automatically detected by the VPN firewall: • Active. A Yes or No indicates if the UPnP device port that established a connection is active. • Protocol. Indicates the network protocol such as HTTP or FTP that is used by the device to connect to the VPN firewall. • Int. Port.
5. Virtual Private Networking Using IPSec and L2TP Connections 5 This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Considerations for Dual WAN Port Systems If two WAN ports are configured for either IPv4 or IPv6, you can enable either auto-rollover mode for increased system reliability or load balancing mode for optimum bandwidth efficiency. The selection of the WAN mode determines how you need to configure the VPN features.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table summarizes the WAN addressing requirements (FQDN or IP address) for a VPN tunnel in either dual WAN mode. Table 43.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard Figure 125. To set up an IPv4 gateway-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard. In the upper right of the screen, the IPv4 radio button is selected by default. The VPN Wizard screen displays the IPv4 settings. (The following screen contains some examples that do not relate to other examples in this manual.) Figure 126.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6. Figure 127. 2. Complete the settings as described in the following table: Table 44.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 44. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel (continued) Setting Description This VPN tunnel will use the following local WAN Interface Select a WAN interface from the drop-down list to specify which local WAN interface the VPN tunnel uses as the local endpoint.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 128. 4. Configure a VPN policy on the remote gateway that allows connection to the VPN firewall. 5. Activate the IPSec VPN connection: a. Select VPN > Connection Status. The Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view: Figure 129. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard Figure 130. To set up an IPv6 gateway-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard. 2. In the upper right of the screen, select the IPv6 radio button. The VPN Wizard screen displays the IPv6 settings. (The following screen contains some examples that do not relate to other examples in this manual.) Figure 131.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6. Figure 132. 3. Complete the settings as described in the following table: Table 45.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 45. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel (continued) Setting Description This VPN tunnel will use the following local WAN Interface Select a WAN interface from the drop-down list to specify which local WAN interface the VPN tunnel uses as the local endpoint.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 133. 5. Configure a VPN policy on the remote gateway that allows connection to the VPN firewall. 6. Activate the IPSec VPN connection: a. Select VPN > Connection Status. The Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view: Figure 134. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard Figure 135. To configure a VPN client tunnel, follow the steps in the following sections: • Use the VPN Wizard to Configure the Gateway for a Client Tunnel on page 212. • Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 215 or Manually Create a Secure Connection Using the NETGEAR VPN Client on page 220.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 136. To display the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see Figure 127 on page 205), showing the wizard default values. After you complete the wizard, you can modify these settings for the tunnel policy that you have set up. 2. Complete the settings as described in the following table: Table 46.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 46. IPSec VPN Wizard settings for a client-to-gateway tunnel (continued) Setting Description This VPN tunnel will use the Select a WAN interface from the drop-down list to specify which local WAN following local WAN Interface interface the VPN tunnel uses as the local endpoint.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 137. Note: When you are using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel fails because the FQDNs do not resolve to your new address. If you have the option to configure the update interval, set it to an appropriately short time. 4. Optional step: Collect the information that you need to configure the VPN client.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. The VPN Client supports IPv4 only; a future release of the VPN Client might support IPv6. To use the Configuration Wizard to set up a VPN connection between the VPN client and the VPN firewall: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays: Figure 138. 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 139. 3. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays: Figure 140. 4. Specify the following VPN tunnel parameters: • IP or DNS public (external) address of the remote equipment. Enter the remote IP address or DNS name of the VPN firewall. For example, enter 192.168.15.175. • Preshared key. Enter the pre-shared key that you already specified on the VPN firewall.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 141. 6. This screen is a summary screen of the new VPN configuration. Click Finish. 7. Specify the local and remote IDs: a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication phase). The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default. b. Click the Advanced tab in the Authentication pane.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 c. Specify the settings that are described in the following table. Table 48. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the VPN firewall. NAT-T Select Automatic from the drop-down list to enable the VPN client and VPN firewall to negotiate NAT-T.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 143. b. Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds. Change this setting to 28800 seconds to match the configuration of the VPN firewall. • Encryption (IPSec), Default. The default lifetime value is 1200 seconds. Change this setting to 3600 seconds to match the configuration of the VPN firewall. 9.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Authentication Settings (Phase 1 Settings) To create new authentication settings: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays: Figure 144. 2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and select New Phase 1. Figure 145. 3. Change the name of the authentication phase (the default is Gateway): a.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default. Figure 146. 4. Specify the settings that are described in the following table. Table 49.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 5. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. 6. Click the Advanced tab in the Authentication pane. The Advanced pane displays: Figure 147. 7. Specify the settings that are described in the following table. Table 50.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 50. VPN client advanced authentication settings (continued) Setting Description Local and Remote ID Local ID As the type of ID, select DNS from the Local ID drop-down list because you specified FQDN in the VPN firewall configuration. As the value of the ID, enter remote.com as the local ID for the VPN client. Note: The remote ID on the VPN firewall is the local ID on the VPN client. It might be less confusing to configure an FQDN such as client.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 148. 3. Specify the settings that are described in the following table. Table 51. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that the VPN client uses in the VPN firewall’s LAN; the computer (for which the VPN client opened a tunnel) appears in the LAN with this IP address. Address Type Select Subnet address from the drop-down list.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Configure the Global Parameters To specify the global parameters: 1. Click Global Parameters in the left column of the Configuration Panel screen. The Global Parameters pane displays in the Configuration Panel screen: Figure 149. 2. Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Test the Connection and View Connection and Status Information • Test the NETGEAR VPN Client Connection • NETGEAR VPN Client Status and Log Information • View the VPN Firewall IPSec VPN Connection Status • View the VPN Firewall IPSec VPN Log Both the NETGEAR ProSafe VPN Client and the VPN firewall provide VPN connection and status information.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 151. • Use the system-tray icon. Right-click the system tray icon, and select Open tunnel ‘Tunnel’. Figure 152. Whichever way you choose to open the tunnel, when the tunnel opens successfully, the Tunnel opened message displays above the system tray: Figure 153.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 NETGEAR VPN Client Status and Log Information To view detailed negotiation and error information on the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays: Figure 155. View the VPN Firewall IPSec VPN Connection Status To view the status of current IPSec VPN tunnels, select VPN > Connection Status.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The Active IPSec SA(s) table lists each active connection with the information that is described in the following table. The default poll interval is 10 seconds. To change the poll interval period, enter a new value in the Poll Interval field, and click the Set Interval button. To stop polling, click the Stop button. Table 52.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage IPSec VPN Policies • Manage IKE Policies • Manage VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or manually add new VPN and IKE policies directly in the policy tables.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 158. Each policy contains the data that are described in the following table. These fields are described in more detail in Table 54 on page 234. Table 53. IKE Policies screen information for IPv4 and IPv6 Item Description Name The name that identifies the IKE policy. When you use the VPN Wizard to set up a VPN policy, an accompanying IKE policy is automatically created with the same name that you select for the VPN policy.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: You cannot delete or edit an IKE policy for which the VPN policy is active without first disabling or deleting the VPN policy. Manually Add or Edit an IKE Policy To manually add an IKE policy for IPv4 or IPv6: 1. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view (see Figure 158 on page 232). 2. Under the List of IKE Policies table, click the Add table button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Complete the settings as described in the following table: Table 54. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Mode Config Record? Specify whether the IKE policy uses a Mode Config record. For information about how to define a Mode Config record, see Mode Config Operation on page 250. Select one of the following radio buttons: • Yes. IP addresses are assigned to remote VPN clients.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54. Add IKE Policy screen settings (continued) Setting Description Identifier From the drop-down list, select one of the following ISAKMP identifiers to be used by the VPN firewall, and specify the identifier in the Identifier field: • Local Wan IP. The WAN IP address of the VPN firewall. When you select this option, the Identifier field automatically shows the IP address of the selected WAN interface. • FQDN.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the VPN firewall and the remote endpoint. • RSA-Signature. Uses the active self-signed certificate that you uploaded on the Certificates screen (see Manage VPN Self-Signed Certificates on page 323).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54. Add IKE Policy screen settings (continued) Setting Description Extended Authentication Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. Note: For more information about • Edge Device.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 5. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table. Manage VPN Policies You can create two types of VPN policies. When you use the VPN Wizard to create a VPN policy, only the Auto method is available. • Manual. You manually enter all settings (including the keys) for the VPN tunnel on the VPN firewall and on the remote VPN endpoint. No third-party server or organization is involved. • Auto.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 160. Each policy contains the data that are described in the following table. These fields are described in more detail in Table 56 on page 241. Table 55. VPN Policies screen information for IPv4 and IPv6 Item Description ! (Status) Indicates whether the policy is enabled (green circle) or disabled (gray circle).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 For information about how to add or edit a VPN policy, see Manually Add or Edit a VPN Policy on this page. Manually Add or Edit a VPN Policy To manually add a VPN policy: 1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPV4 settings (see Figure 160 on page 239). 2. Under the List of VPN Policies table, click the Add table button. The Add New VPN Policy screen displays the IPv4 settings (see Figure 161 on page 240). 3.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 162. Add New VPN Policy screen for IPv6 4. Complete the settings as described in the following table. The only differences between IPv4 and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6). Table 56. Add New VPN Policy screen settings for IPv4 and IPv6 Setting Description General Policy Name A descriptive name of the VPN policy for identification and management purposes. Note: The name is not supplied to the remote VPN endpoint.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 56. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Policy Type From the drop-down list, select one of the following policy types: • Auto Policy. Some settings (the ones in the Manual Policy Parameters section of the screen) for the VPN tunnel are generated automatically. • Manual Policy. All settings need to be specified manually, including the ones in the Manual Policy Parameters section of the screen.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 56. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Traffic Selection Local IP From the drop-down list, select the address or addresses that are part of the VPN tunnel on the VPN firewall: • Any. All computers and devices on the network. Note that you cannot select Any for both the VPN firewall and the remote endpoint. • Single. A single IP address on the network.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 56. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Key-Out The encryption key for the outbound policy. The length of the key depends on the selected encryption algorithm: • 3DES. Enter 24 characters. • DES. Enter 8 characters. • AES-128. Enter 16 characters. • AES-192. Enter 24 characters. • AES-256. Enter 32 characters. SPI-Outgoing The Security Parameters Index (SPI) for the outbound policy.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 56. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 requesting individual authentication information from the user. A local user database or an external authentication server, such as a RADIUS server, provides a method for storing the authentication information centrally in the local network. You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH are available: • Edge Device. The VPN firewall is used as a VPN concentrator on which one or more gateway tunnels terminate.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 4. In the Extended Authentication section on the screen, complete the settings as described in the following table: Table 57. Extended authentication settings for IPv4 and IPv6 Setting Description Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. • Edge Device.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 name and password information. The gateway then attempts to verify this information first against a local user database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server. Note: Even though you can configure RADIUS servers with IPv4 addresses only, the servers can be used for authentication, authorization, and accounting of both IPv4 and IPv6 users.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 58. RADIUS Client screen settings (continued) Setting Description Primary Server NAS Identifier The primary Network Access Server (NAS) identifier that needs to be present in a RADIUS request. Note: The VPN firewall functions as an NAS, allowing network access to external users after verification of their authentication information. In a RADIUS transaction, the NAS needs to provide some NAS identifier information to the RADIUS server.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Assign IPv4 Addresses to Remote Users (Mode Config) • Mode Config Operation • Configure Mode Config Operation on the VPN Firewall • Configure the ProSafe VPN Client for Mode Config Operation • Test the Mode Config Connection • Modify or Delete a Mode Config Record To simplify the process of connecting remote VPN clients to the VPN firewall, use the Mode Config feature to automatically assign IPv4 addresses to remote users, including a network acce
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To configure Mode Config on the VPN firewall: 1. Select VPN > IPSec VPN > Mode Config. The Mode Config screen displays: Figure 164. As an example, the screen shows two Mode Config records with the names EMEA Sales and NA Sales: • For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool (172.16.200.1 through 172.16.200.99) are shown. • For Americas Sales, a first pool (172.25.100.50 through 172.25.100.99), a second pool (172.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Complete the settings as described in the following table: Table 59. Add Mode Config Record screen settings Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes. First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable the VPN firewall to allocate these to remote VPN clients. The Second Pool and Third Pool fields are optional.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 59. Add Mode Config Record screen settings (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. Local IP Address The local IP address to which remote VPN clients have access.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 166. 8. On the Add IKE Policy screen, complete the settings as described in the following table. Note: The IKE policy settings that are described in the following table are specifically for a Mode Config configuration. Table 54 on page 234 explains the general IKE policy settings.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 60. Add IKE Policy screen settings for a Mode Config configuration Setting Description Mode Config Record Do you want to use Mode Config Record? Select the Yes radio button. Note: Because Mode Config functions only in Aggressive mode, selecting the Yes radio button sets the tunnel exchange mode to Aggressive mode. Mode Config also requires that both the local and remote endpoints are defined by their FQDNs.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 60. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description IKE SA Parameters Note: Generally, the default settings work well for a Mode Config configuration. Encryption Algorithm To negotiate the security association (SA), from the drop-down list, select the 3DES algorithm.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 60. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description Extended Authentication Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. Note: For more information about • Edge Device.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and specify the global parameters. Configure the Mode Config Authentication Settings (Phase 1 Settings) To create new authentication settings: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane. Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 61. VPN client authentication settings (Mode Config) (continued) Setting Description IKE Encryption Select the 3DES encryption algorithm from the drop-down list. Authentication Select the SHA1 authentication algorithm from the drop-down list. Key Group Select the DH2 (1024) key group from the drop-down list. Note: On the VPN firewall, this key group is referred to as Diffie-Hellman Group 2 (1024 bit). 5.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 62. VPN client advanced authentication settings (Mode Config) (continued) Setting Description NAT-T Select Automatic from the drop-down list to enable the VPN client and VPN firewall to negotiate NAT-T. Local and Remote ID Local ID As the type of ID, select DNS from the Local ID drop-down list because you specified FQDN in the VPN firewall configuration. As the value of the ID, enter client.com as the local ID for the VPN client.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 171. 3. Specify the settings that are described in the following table. Table 63. VPN client IPSec configuration settings (Mode Config) Setting Description VPN Client address This field is masked out because Mode Config is selected. After an IPSec connection is established, the IP address that is issued by the VPN firewall displays in this field (see Figure 176 on page 266). Address Type Select Subnet address from the drop-down list.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 63. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description ESP Encryption Select 3DES as the encryption algorithm from the drop-down list. Authentication Select SHA-1 as the authentication algorithm from the drop-down list. Mode Select Tunnel as the encapsulation mode from the drop-down list. PFS and Group Select the PFS check box, and select the DH2 (1024) key group from the drop-down list.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Specify the following default lifetimes in seconds to match the configuration on the VPN firewall: • Authentication (IKE), Default. Enter 3600 seconds. Note: The default setting is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour). • Encryption (IPSec), Default. Enter 3600 seconds. 3.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Verify that the VPN firewall issued an IP address to the VPN client. This IP address displays in the VPN Client address field on the IPSec pane of the VPN client. (The following figure shows the upper part of the IPSec pane only.) Figure 175. 3. From the client computer, ping a computer on the VPN firewall LAN. Modify or Delete a Mode Config Record Note: Before you modify or delete a Mode Config record, make sure that it is not used in an IKE policy.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 keep-alive and Dead Peer Detection (DPD) features to prevent the tunnel from being disconnected and to force a reconnection if the tunnel disconnects for any reason. For DPD to function, the peer VPN device on the other end of the tunnel also needs to support DPD. Keep-alive, though less reliable than DPD, does not require any support from the peer device.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Enter the settings as described in the following table: Table 64. Keep-alive settings Setting Description General Enable Keepalive Select the Yes radio button to enable the keep-alive feature. Periodically, the VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 177. 4. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the settings as described the following table: Table 65. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Detection Select the Yes radio button to enable DPD. When the VPN firewall detects an IKE connection failure, it deletes the IPSec and IKE SA and forces a reestablishment of the connection.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Specify the IP version for which you want to edit a VPN policy: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step 3. • IPv6. Select the IPv6 radio button. The VPN Policies screen for IPv6 displays. 3. In the List of VPN Policies table, click the Edit table button to the right of the VPN policy that you want to edit. The Edit VPN Policy screen displays.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To enable the PPTP server and configure the PPTP server pool, authentication, and encryption: 1. Select VPN > PPTP Server. The PPTP Server screen displays. (The following figure contains an example.) Figure 179. 2. Enter the settings as described in the following table: Table 66. PPTP Server screen settings Setting Description PPTP Server Enable To enable the PPTP server, select the Enable check box.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 66. PPTP Server screen settings (continued) Setting Description Encryption If the authentication is MSCHAP or MSCHAPv2, the PPTP server can support Microsoft Point-to-Point Encryption (MPPE). Select one or more of the following types of MPPE: • MPPE-40. MPPE 40-bit encryption. • MPPE-128. MPPE 128-bit encryption. This is the most secure type of MPPE encryption. • MPPE-stateful. Stateful MPPE encryption.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the L2TP Server As an alternate solution to IPSec VPN tunnels, you can configure a Layer 2 Tunneling Protocol (L2TP) server on the VPN firewall to allow users to access L2TP clients over L2TP tunnels. A maximum of 25 simultaneous L2TP user sessions are supported. (The very first IP address of the L2TP address pool is used for distribution to the VPN firewall.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as described in the following table: Table 68. L2TP Server screen settings Setting Description L2TP Server Configuration Enable To enable the L2TP server, select the Enable check box. Starting IP Address The first IP address of the pool. This address is used for distribution to the VPN firewall. Ending IP Address The last IP address of the pool. A maximum of 26 contiguous addresses is supported.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 69. L2TP Active Users screen information (continued) Item Description L2TP IP The IP address that is assigned by the L2TP server on the VPN firewall. Action Click the Disconnect table button to terminate the L2TP connection.
6. Virtual Private Networking Using SSL Connections 6 The VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 SSL VPN Portal Options The VPN firewall’s SSL VPN portal can provide two levels of SSL service to the remote user: • SSL VPN tunnel. The VPN firewall can provide the full network connectivity of a VPN tunnel using the remote user’s browser instead of a traditional IPSec VPN client. The SSL capability of the user’s browser provides authentication and encryption, establishing a secure connection to the VPN firewall.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 resources to which the users are granted access. Because you need to assign a portal layout when creating a domain, the domain is created after you have created the portal layout. b. Create one or more groups for your SSL VPN users. When you define the SSL VPN policies that determine network resource access for your SSL VPN users, you can define global policies, group policies, or individual policies.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 You apply portal layouts by selecting one from the available portal layouts in the configuration of a domain. When you have completed your portal layout, you can apply the portal layout to one or more authentication domains (see Configure Domains on page 303). You can also make the new portal the default portal for the SSL VPN gateway by selecting the default radio button next to the portal layout name.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The List of Layouts table displays the following fields: • Layout Name. The descriptive name of the portal. • Description. The banner message that is displayed at the top of the portal (see Figure 196 on page 298). • Use Count. The number of authentication domains that use the portal. • Portal URL: • - Portal URL (IPv4). The IPv4 URL at which the portal can be accessed.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Complete the settings as described in the following table: Table 70. Add Portal Layout screen settings Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 70. Add Portal Layout screen settings (continued) Setting Description ActiveX web cache cleaner Select this check box to enable ActiveX cache control to be loaded when users log in to the SSL VPN portal. The web cache cleaner prompts the user to delete all temporary Internet files, cookies, and browser history when the user logs out or closes the web browser window.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 For information about how to configure domains, groups, and users, see Configure Authentication Domains, Groups, and Users on page 303. Configure Applications for Port Forwarding • Add Servers and Port Numbers • Add a New Host Name Port forwarding provides access to specific defined network services.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: • IP Address. The IP address of an internal server or host computer that a remote user has access to. • TCP Port. The TCP port number of the application that is accessed through the SSL VPN tunnel. The following table lists some commonly used TCP applications and port numbers. Table 71.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To add servers and host names for client name resolution: 1. Select VPN > SSL VPN > Port Forwarding. The Port Forwarding screen displays (see Figure 186 on page 282). 2. In the Add New Host Name for Port Forwarding section of the screen, specify information in the following fields: • Local Server IP Address. The IP address of an internal server or host computer that you want to name. • Fully Qualified Domain Name. The full server name.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • • Select whether you want to enable full-tunnel or split-tunnel support based on your bandwidth: - A full tunnel sends all of the client’s traffic across the VPN tunnel. - A split tunnel sends only traffic that is destined for the local network based on the specified client routes. All other traffic is sent to the Internet. A split tunnel allows you to manage bandwidth by reserving the VPN tunnel for local traffic only.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 188. SSL VPN Client screen for IPv6 3. Complete the settings as described in the following table: Table 72. SSL VPN Client screen settings for IPv4 and IPv6 Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full-tunnel support.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 72. SSL VPN Client screen settings for IPv4 and IPv6 (continued) Setting Description IPv4 screen only (continued) Client Address Range End The last IP address of the IPv4 address range that you want to assign to the VPN tunnel clients. By default, the last IPv4 address is 192.168.251.254. Client IPv6 Address Range Begin The first IP address of the IPv6 address range that you want to assign to the VPN tunnel clients.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 If VPN tunnel clients are already connected, disconnect and then reconnect the clients on the SSL VPN Connection Status screen (see View the SSL VPN Connection Status and SSL VPN Log on page 299). Doing so allows the clients to receive new addresses and routes. To change the specifications of an existing route and to delete an old route: 1. Add a new route to the Configured Client Routes table. 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 189. 2. In the Add New Resource section of the screen, specify information in the following fields: • Resource Name. A descriptive name of the resource for identification and management purposes. • Service. From the Service drop-down list, select the type of service to which the resource applies: - VPN Tunnel. The resource applies only to a VPN tunnel. - Port Forwarding. The resource applies only to port forwarding. - All.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 190. 4. Complete the settings as described in the following table: Table 73. Resources screen settings to edit a resource Setting Description Add Resource Addresses Resource Name The unique identifier for the resource. You cannot modify the resource name after you have created it on the first Resources screen. Service The SSL service that is assigned to the resource.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 73. Resources screen settings to edit a resource (continued) Setting Description Object Type (continued) IPv4 screen only: Mask Length Enter the network mask (0–31) for the locations that are permitted to use this resource. IPv6 screen only: Prefix Length Enter the prefix length for the locations that are permitted to use this resource. Port Range / Port Number A port or a range of ports (0–65535) to apply the policy to.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 includes the following addresses: 10.0.0.5–10.0.0.20 and the FQDN ftp.company.com, which resolves to 10.0.1.3. Assuming that no conflicting user or group policies have been configured, if a user attempted to access FTP servers at the following addresses, the actions listed would occur: • 10.0.0.1. The user would be blocked by Policy 1. • 10.0.1.5. The user would be blocked by Policy 2. • 10.0.0.10. The user would be granted access by Policy 3.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Make your selection from the following Query options: • To view all global policies, select the Global radio button. • To view group policies, select the Group radio button, and select the relevant group’s name from the drop-down list. • To view user policies, select the User radio button, and select the relevant user’s name from the drop-down list. 3. Click the Display action button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 . Figure 193. Add SSL VPN Policy screen for IPv6 4. Complete the settings as described in the following table: Table 74. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users. • Group. The new policy needs to be limited to a single group. From the drop-down list, select a group name.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 74. Add SSL VPN Policy screen settings (continued) Setting Description Apply Policy to? (continued) Network Resource IP Address IP Network Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. Defined Resources From the drop-down list, select a network resource that you have defined on the Resources screen (see Use Network Resource Objects to Simplify Policies on page 288).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 74. Add SSL VPN Policy screen settings (continued) Setting Description Apply Policy to? (continued) IP Network (continued) All Addresses Service From the drop-down list, select the service to which the SSL VPN policy is applied: • VPN Tunnel. The policy is applied only to a VPN tunnel. • Port Forwarding. The policy is applied only to port forwarding. • All. The policy is applied both to a VPN tunnel and to port forwarding.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete one or more SSL VPN policies: 1. On the Policies screen (see Figure 191 on page 292), select the check box to the left of each SSL VPN policy that you want to delete, or click the Select All table button to select all policies. 2. Click the Delete table button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 3. In the Portal URL field of the List of Layouts table, click the URL that corresponds to the SSL portal login screen that you want to open. The SSL portal login screen displays. (The following figure shows the CustSupport layout that was defined in Create the Portal Layout on page 277.) Figure 196. 4. Enter a user name and password that are associated with a domain, that, in turn, is associated with the portal.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 198. The User Portal screen displays a simple menu that, depending on the resources allocated, provides the SSL user with the following menu selections: • VPN Tunnel. Provides full network connectivity. • Port Forwarding. Provides access to the network services that you defined as described in Configure Applications for Port Forwarding on page 282. • Change Password. Allows the user to change the password. • Support.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 199. The active user’s name, group, and IP address are listed in the table with a time stamp indicating the time and date that the user connected. To disconnect an active user, click the Disconnect table button to the right of the user’s table entry. To display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 200.
7. Manage Users, Authentication, and VPN Certificates 7 This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The VPN Firewall’s Authentication Process and Options Users are assigned to a group, and a group is assigned to a domain. Therefore, you should first create any domains, then groups, then user accounts. Note: Do not confuse the authentication groups with the LAN groups that are described in Manage IPv4 Groups and Hosts (IPv4 LAN Groups) on page 96.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 75. External authentication protocols and methods (continued) Authentication Description Protocol or Method MIAS A network-validated PAP or CHAP password-based authentication method that functions with Microsoft Internet Authentication Service (MIAS), which is a component of Microsoft Windows 2003 Server. WiKID WiKID Systems is a PAP or CHAP key-based two-factor authentication method that functions with public key cryptography.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Create Domains To create a domain: 1. Select Users > Domains. The Domains screen displays. (The following figure shows the VPN firewall’s default domain—geardomain—and, as an example, other domains in the List of Domains table.) Figure 201. The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 202. 3. Complete the settings as described in the following table: Table 76. Add Domain screen settings Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. From the drop-down list, select the authentication method that the VPN firewall applies: • Local User Database (default). Users are authenticated locally on the VPN firewall. This is the default setting.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 76. Add Domain screen settings (continued) Setting Description Authentication Type (continued) • Note: If you select any type of RADIUS • authentication, make sure that one or more RADIUS servers are configured (see RADIUS Client and • Server Configuration on page 247). • • Select Portal MIAS-PAP. Microsoft Internet Authentication Service (MIAS) PAP. Complete the following fields: - Authentication Server - Authentication Secret MIAS-CHAP.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: A combination of local and external authentication is supported. WARNING: If you disable local authentication, make sure that there is at least one external administrative user; otherwise, access to the VPN firewall is blocked. 6. If you do change local authentication, click Apply in the Domain screen to save your settings. To delete one or more domains: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 IMPORTANT: When you create a domain on the Domains screen (see the previous section), a group with the same name as the new domain is created automatically. You cannot delete such a group. However, when you delete the domain with which it is associated, the group is deleted automatically. Note: IPSec VPN, L2TP, and PPTP users do not belong to a domain and are not assigned to a group.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: When you create a domain on the Domains screen, a group with the same name as the new domain is created automatically. You cannot delete such a group on the Groups screen. However, when you delete the domain with which the group is associated, the group is deleted automatically. • Domain. The name of the domain to which the group is assigned. • Action. The Edit table button, which provides access to the Edit Group screen. 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Edit Groups For groups that were automatically created when you created a domain, you can modify only the idle time-out settings but not the group name or associated domain. For groups that you created on the Add Groups screen, you can modify the domain and the idle time-out settings but not the group name. To edit a VPN group: 1. Select Users > Groups. The Groups screen displays (see Figure 203 on page 308). 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • Guest user. A user who can only view the VPN firewall configuration (that is, read-only access). • IPSec VPN user. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 245). • L2TP user. A user who can connect over an L2TP connection to an L2TP client that is located behind the VPN firewall. • PPTP user.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 206. 3. Enter the settings as described in the following table: Table 78. Add Users screen settings Setting Description User Name A descriptive (alphanumeric) name of the user for identification and management purposes. User Type From the drop-down list, select one of the predefined user types that determines the access credentials: • SSL VPN User. A user who can log in only to the SSL VPN portal. • Administrator.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete one or more user accounts: 1. In the List of Users table, select the check box to the left of each user account that you want to delete, or click the Select All table button to select all accounts. You cannot delete a default user account. 2. Click the Delete table button. Note: You cannot delete the default admin or guest user.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For security reasons, the Deny Login from WAN Interface check box is selected by default for guests and administrators. The Disable Login check box is disabled (masked out) for administrators. 4. Click Apply to save your settings. Configure Login Restrictions Based on IPv4 Addresses To restrict logging in based on IPv4 addresses: 1. Select Users > Users. The Users screen displays (see Figure 205 on page 311). 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 6. In the Add Defined Addresses section of the screen, add an address to the Defined Addresses table by entering the settings as described in the following table: Table 79. Defined addresses settings for IPv4 Setting Description Source Address Type Select the type of address from the drop-down list: • IP Address. A single IPv4 address. • IP Network. A subnet of IPv4 addresses. You need to enter a netmask length in the Mask Length field.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 209. 5. In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table. • Allow Login only from Defined Addresses. Allow logging in from the IP addresses in the Defined Addresses table. 6. Click Apply to save your settings. 7.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete one or more IPv6 addresses: 1. In the Defined Addresses table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses. 2. Click the Delete table button. Configure Login Restrictions Based on Web Browser To restrict logging in based on the user’s browser: 1. Select Users > Users. The Users screen displays (see Figure 205 on page 311). 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • Firefox. Mozilla Firefox. • Mozilla. Other Mozilla browsers. 7. Click the Add table button. The browser is added to the Defined Browsers table. 8. Repeat Step 6 and Step 7 for any other browsers that you want to add to the Defined Browsers table. To delete one or more browsers: 1. In the Defined Browsers table, select the check box to the left of each browser that you want to delete, or click the Select All table button to select all browsers. 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 211. 3. Change the settings as described in the following table: Note: Once established, you cannot change the user name or the group. If you need to change the user name or the group, delete the user account and recreate it with the correct name or group. Table 81. Edit User screen settings Setting Description Select User Type From the drop-down list, select one of the predefined user types that determines the access credentials: • SSL VPN User.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage Digital Certificates for VPN Connections • VPN Certificates Screen • Manage VPN CA Certificates • Manage VPN Self-Signed Certificates • Manage the VPN Certificate Revocation List The VPN firewall uses digital certificates (also known as X509 certificates) during the Internet Key Exchange (IKE) authentication phase to authenticate connecting IPSec VPN gateways or clients, or to be authenticated by remote entities: • On the VPN firewall, you c
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Because a commercial CA takes steps to verify the identity of an applicant, a digital certificate from a commercial CA provides a strong assurance of the server’s identity. A self-signed digital certificate triggers a warning from most browsers because it provides no protection against identity theft of the server. The VPN firewall contains a self-signed digital certificate from NETGEAR.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage VPN CA Certificates To view and upload trusted certificates: Select VPN > Certificates. The Certificates screen displays. (The following figure shows the top section of the screen with the trusted certificate information and an example certificate in the Trusted Certificates [CA Certificate] table.) Figure 212.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage VPN Self-Signed Certificates Instead of obtaining a digital certificate from a CA, you can generate and sign your own digital certificate. However, a self-signed digital certificate triggers a warning from most browsers because it provides no protection against identity theft of the server. (The following figure shows an image of a browser security alert.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 214. Certificates, screen 2 of 3 2. In the Generate Self Certificate Request section of the screen, enter the settings as described in the following table: Table 82. Generate self-signed certificate request settings Setting Description Name A descriptive name of the domain for identification and management purposes. Subject The name that other organizations see as the holder (owner) of the certificate.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 82. Generate self-signed certificate request settings (continued) Setting Description Optional Fields IP Address Enter your fixed (static) IP address. If your IP address is dynamic, leave this field blank. Domain Name Enter your Internet domain name, or leave this field blank. E-mail Address Enter the email address of a technical contact in your company. 3. Click the Generate table button.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 9. Select the check box next to the self-signed certificate request. 10. Click the Browse button and navigate to the digital certificate file from the CA that you just stored on your computer. 11. Click the Upload table button. If the verification process on the VPN firewall approves the digital certificate for validity and purpose, the digital certificate is added to the Active Self Certificates table. To delete one or more SCRs: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 216. Certificates, screen 3 of 3 The Certificate Revocation Lists (CRL) table lists the active CAs and their critical release dates: • CA Identity. The official name of the CA that issued the CRL. • Last Update. The date when the CRL was released. • Next Update. The date when the next CRL will be released. 2. In the Upload CRL section, click the Browse button and navigate to the CLR file that you previously downloaded from a CA. 3.
8. Network and System Management 8 This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Performance Management • Bandwidth Capacity • Features That Reduce Traffic • Features That Increase Traffic • Use QoS and Bandwidth Assignment to Shift the Traffic Mix • Monitoring Tools for Traffic Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through when there is a bottleneck.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Features That Reduce Traffic You can adjust the following features of the VPN firewall in such a way that the traffic load on the WAN side decreases: • LAN WAN outbound rules (also referred to as service blocking) • DMZ WAN outbound rules (also referred to as service blocking) • Content filtering • Source MAC filtering LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking) You can control specific outbound traffic (from LAN to WAN and
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • • LAN users (or DMZ users). You can specify which computers on your network are affected by an outbound rule. There are several options: - Any. The rule applies to all computers and devices on your LAN or DMZ. - Single address. The rule applies to the address of a particular computer. - Address range. The rule applies to a range of addresses. - Groups. The rule applies to a group of computers.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 In order to reduce traffic, the VPN firewall provides the following methods to filter web content: • Keyword blocking. You can specify words that, should they appear in the website name (URL) or newsgroup name, cause that site or newsgroup to be blocked by the VPN firewall. • Web object blocking. You can block the following web component types: embedded objects (ActiveX and Java), proxies, and cookies.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • BLOCK by schedule, otherwise allow • ALLOW always • ALLOW by schedule, otherwise block The following section summarizes the various criteria that you can apply to inbound rules and that might increase traffic. For more information about inbound rules, see Inbound Rules (Port Forwarding) on page 140.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 - Address range. The rule applies to a range of Internet IP addresses. - IP Groups. The rule applies to a group of individual WAN IP addresses. Use the IP Groups screen (under the Network Security main navigation menu) to assign IP addresses to groups. For more information, see Create IP Groups on page 179. • Schedule. You can configure three different schedules to specify when a rule is applied.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN, L2TP, and PPTP Tunnels The VPN firewall supports site-to-site IPSec VPN tunnels, dedicated SSL VPN tunnels, L2TP tunnels, and PPTP tunnels. Each tunnel requires extensive processing for encryption and authentication, thereby increasing traffic through the WAN ports. For information about IPSec VPN, L2TP, and PPTP tunnels, see Chapter 5, Virtual Private Networking Using IPSec and L2TP Connections.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Monitoring Tools for Traffic Management The VPN firewall includes several tools that can be used to monitor the traffic conditions of the firewall and content-filtering engine and to monitor the users’ access to the Internet and the types of traffic that they are allowed to have. See Chapter 9, Monitor System Access and Performance, for a description of these tools.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 217. 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit Users screen displays: Figure 218. You cannot modify the administrator user name, user type, or group assignment. 3. Select the Check to Edit Password check box. The password fields become available. 4. Enter the old password, enter the new password, and confirm the new password.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 6. Click Apply to save your settings. 7. Repeat Step 1 through Step 6 for the user with the name guest. Note: After a factory defaults reset, the password and time-out value are changed back to password and 5 minutes, respectively. You can also change the administrator login policies: • Disable login. Deny login access. Note: You obviously do not want to deny login access to yourself if you are logged in as an administrator.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 continuing (see Change Passwords and Administrator and Guest Settings on page 336). To configure the VPN firewall for remote management: 1. Select Administration > Remote Management. The Remote Management screen displays the IPv4 settings (see the next figure). 2. Specify the IP version for which you want to configure remote management: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step 3.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 220. Remote Management screen for IPv6 3. Enter the settings as described in the following table: Table 83. Remote Management screen settings for IPv4 and IPv6 Setting Description Secure HTTP Management Allow Secure HTTP To enable secure HTTP management, select the Yes radio button, which is the Management? default setting. To disable secure HTTP management, select the No radio button. Note: The selected setting applies to all WAN interfaces.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 83. Remote Management screen settings for IPv4 and IPv6 (continued) Setting Description Telnet Management Allow Telnet Management? To enable Telnet management, select the Yes radio button. To disable Telnet management, select the No radio button, which is the default setting. Specify the addresses through which access is allowed by selecting one of the following radio buttons: • Everyone. There are no IP address restrictions. • IP address range.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Tip: If you are using a Dynamic DNS service such as TZO, you can identify the WAN IP address of your VPN firewall by running tracert from the Windows Run menu option. Trace the route to your registered FQDN. For example, enter tracert VPN firewall.mynetgear.net, and the WAN IP address that your ISP assigned to the VPN firewall is displayed.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 221. The SNMPv3 Users table includes the default SNMPv3 users that are preconfigured on the VPN firewall. The SNMPv3 Users table shows the following columns: • Username. The default user names (admin or guest). • Access Type. Read-write user (RWUSER) or read-only user (ROUSER). By default, the user Admin is an RWUSER and the user guest is an ROUSER. • Security Level.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. To specify a new SNMP configuration, in the Create New SNMP Configuration Entry section of the screen, configure the settings as described in the following table: Table 84. SNMP screen settings Setting Description Access From WAN Enable access from WAN To enable SNMP access by an SNMP manager through the WAN interface, select the Enable access from WAN check box. By default, this check box is cleared and access is disabled.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 222. 2. Modify the settings as described in the previous table. 3. Click Apply to save your settings. To delete one or more SNMP configurations: 1. On the SNMP screen (see Figure 221 on page 343), select the check box to the left of each SNMP configuration that you want to delete, or click the Select All table button to select all SNMP configurations. 2. Click the Delete table button. To edit the SNMPv3 default users: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 85. Edit User screen settings for SNMPv3 users (continued) Setting Description Security Level From the drop-down list, select the security level for communication between the SNMPv3 user and the SNMP agent that collects the MIB objects from the VPN firewall: • NoAuthNoPriv. Both authentication and privacy are disabled. This is the default setting. • AuthNoPriv. Authentication is enabled but privacy is disabled.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as described in the following table: Table 86. SNMP SysConfiguration screen settings Setting Description SysContact Enter the SNMP system contact information that is available to the SNMP manager. This setting is optional. SysLocation Enter the physical location of the VPN firewall. This setting is optional. SysName Enter the name of the VPN firewall for SNMP identification purposes. The default name is SRX5308. 3.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 225. Back Up Settings The backup feature saves all VPN firewall settings to a file. Back up your settings periodically, and store the backup file in a safe place. Tip: You can use a backup file to export all settings to another VPN firewall that has the same language and management software versions. Remember to change the IP address of the second VPN firewall before deploying it to eliminate IP address conflicts on the network.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Restore Settings WARNING: Restore only settings that were backed up from the same software version. Restoring settings from a different software version can corrupt your backup file or the VPN firewall system software. To restore settings from a backup file: 1. On the Settings Backup and Firmware Upgrade screen (see Figure 225 on page 348), next to Restore saved settings from file, click Browse. 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING: When you press the hardware factory default Reset button or click the software Default button, the VPN firewall settings are erased. All firewall rules, VPN policies, LAN and WAN settings, and other settings are lost. Back up your settings if you intend on using them. Note: After you reboot with factory default settings, the VPN firewall’s password is password, and the LAN IP address is 192.168.1.1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The newly installed firmware is the active firmware. The previously installed firmware has become the secondary firmware. 8. Select Monitoring. The Router Status screen displays, showing the new firmware version in the System Info section of the screen. Note: In some cases, such as a major upgrade, it might be necessary to erase the configuration and manually reconfigure your VPN firewall after upgrading it.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Select Monitoring. The Router Status screen displays, showing the selected firmware version in the System Info section of the screen. Configure Date and Time Service Configure date, time, and NTP server designations on the System Date & Time screen. Network Time Protocol (NTP) is a protocol that is used to synchronize computer clock times in a network of computers.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 87. Time Zone screen settings (continued) Setting Description Resolve IPv6 address for servers Select this check box to force the use of IPv6 addresses and FQDN (domain name) resolution in the Server 1 Name / IP Address and Server 2 Name / IP Address fields when you have selected the Use Custom NTP Servers radio button. Select NTP Mode In all three NTP modes, the VPN firewall functions both as a client and a server.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 87. Time Zone screen settings (continued) Setting Description NTP Servers (default or Select one of the following radio buttons to specify the NTP servers: custom) • Use Default NTP Servers. The VPN firewall regularly updates its RTC by contacting a default NETGEAR NTP server on the Internet. • Use Custom NTP Servers.
9. Monitor System Access and Performance 9 This chapter describes the system-monitoring features of the VPN firewall. You can be alerted to important events such WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more. In addition, the diagnostics utilities are described.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure and Enable the WAN Traffic Meter If your ISP charges by traffic volume over a given period, or if you want to study traffic types over a period, you can activate the traffic meter for IPV4 traffic on a WAN port. To configure and monitor traffic limits on a WAN port: 1. Select Monitoring > Traffic Meter. The WAN Traffic Meter tabs display, with the WAN1 Traffic Meter screen in view.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 88. WAN1 Traffic Meter screen settings Setting Description Enable Traffic Meter Do you want to enable Traffic Metering on WAN1? Select one of the following radio buttons to configure traffic metering: • Yes. Traffic metering is enabled, and the traffic meter records the volume of Internet traffic passing through the WAN interface. Complete the fields that are shown on the right side of the screen (see explanations later in this table). • No.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 88. WAN1 Traffic Meter screen settings (continued) Setting Description When Limit is reached Block Traffic Select one of the following radio buttons to specify which action the VPN firewall performs when the traffic limit has been reached: • Block All Traffic. All incoming and outgoing Internet and email traffic is blocked. • Block All Traffic Except E-Mail.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure and Enable the LAN Traffic Meter If your ISP charges by traffic volume over a period and you need to charge the costs to individual accounts, or if you want to study the traffic volume that is requested or sent over a LAN IP address over a period, activate the traffic meter for individual LAN IP addresses. To configure and monitor traffic limits for LAN IP addresses: 1. Select Network Configuration > LAN Settings.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • Traffic (MB). The traffic usage in MB. • State. The state that indicates whether traffic to and from the IP address is allowed or blocked. • Action. The Edit table button provides access to the Edit LAN Traffic Meter screen for the corresponding IP address. 4. On the LAN Traffic Meter screen, click the Add table button. The Add LAN Traffic Meter screen displays: Figure 231. 5. Enter the settings as described in the following table: Table 89.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 89. Add LAN Traffic Meter Account screen settings (continued) Setting Description Send e-mail report before restarting counter An email report is sent immediately before the counter restarts. Ensure that emailing of logs is enabled on the Firewall Logs & E-mail screen (see Configure Logging, Alerts, and Event Notifications on page 362).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Logging, Alerts, and Event Notifications You can configure the VPN firewall to log routing events such as dropped and accepted packets, to log system events such as a change of time by an NTP server, secure login attempts, and reboots, and to log other events. You can also schedule logs to be sent to the administrator and enable logs to be sent to a syslog server on the network. To configure and activate logs: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as described in the following table: Table 90. Firewall Logs & E-mail screen settings Setting Description Log Options Log Identifier Enter the name of the log identifier. The identifier is appended to log messages to identify the device that sent the log messages. The default identifier is SRX5308.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 90. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-mail Logs Do you want logs to be emailed to you? Select the Yes radio button to enable the VPN firewall to email logs to a specified email address. Complete the fields that are shown on the right side of the screen. Select the No radio button to prevent the logs from being emailed, which is the default setting.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 90. Firewall Logs & E-mail screen settings (continued) Setting Description Enable SysLogs Do you want to enable syslog? To enable the VPN firewall to send logs to a specified syslog server, select the Yes radio button. Complete the fields that are shown on the right side of the screen. To prevent the logs from being sent, select the No radio button, which is the default setting. SysLog Server The IP address or FQDN of the syslog server.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 234. You can refresh the logs, clear the logs, or send the logs to an email address. To view the DNS logs onscreen: 1. Select Monitoring > Firewall Logs & E-mail. The Firewall Logs & E-mail screen displays. 2. Click the DNS Logs option arrow in the upper right of the Firewall Logs & E-mail screen. The DNS Logs screen displays: Figure 235. You can refresh the logs or clear the logs.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 How to Send Syslogs over a VPN Tunnel between Sites To send syslogs from one site to another over a gateway-to-gateway VPN tunnel: 1. At Site 1, set up a syslog server that is connected to Gateway 1. 2. Set up a VPN tunnel between Gateway 1 at Site 1 and Gateway 2 at Site 2. 3. Change the remote IP address in the VPN policy on Gateway 1 to the WAN IP address of Gateway 2. 4.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 4. In the Traffic Selector section of the screen, make the following changes: • From the Remote IP drop-down list, select Single. • In the Start IP fields, type 10.0.0.2, which is the WAN IP address of Gateway 2. 5. Click Apply to save the settings. Configure Gateway 2 at Site 2 To create a gateway-to-gateway VPN tunnel to Gateway 1, using the IPSec VPN wizard: 1. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays. 2.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 View Status Screens • View the System Status • View the VPN Connection Status, L2TP Users, and PPTP Users • View the VPN Logs • View the Port Triggering Status • View the WAN Port Status • View the Attached Devices and the DHCP Log View the System Status When you start up the VPN firewall, the default screen that displays is the Router Status screen.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 236. The following table explains the fields of the Router Status screen: Table 91. Router Status screen information Item Description System Info System Name The NETGEAR system name. Firmware Version The installed firmware version. Secondary Firmware Version The secondary software version. This version is for display only. (You cannot configure or select this version.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 91. Router Status screen information (continued) Item Description LAN IPv6 Information MAC Address The MAC address of the VPN firewall. IPv6 Address The IPv6 LAN address that is assigned to the VPN firewall. For information about configuring the IPv6 address, see Configure the IPv6 Internet Connection and WAN Settings on page 52. DHCP Server The status of the IPv4 DHCP server (Enabled or Disabled).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 237. The following table explains the fields of the Router Statistics screen. To change the poll interval period, enter a new value (in seconds) in the Poll Interval field, and click Set interval. To stop polling, click Stop. Table 92. Router Statistics screen information Item Description System up Time. The period since the last time that the VPN firewall was started up.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 238.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table explains the fields of the Detailed Status screen: Table 93. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile The name of the VLAN profile that you assigned to the LAN port on the LAN Setup screen (see Assign and Manage VLAN Profiles on page 86).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 93. Detailed Status screen information (continued) Item Description DMZ IPv6 Configuration IPv6 Address The IPv6 address and prefix length for the DMZ. DHCP Status The status of the DHCPv6 server for the DMZ (Enabled or Disabled). Primary DNS Server For information about configuring the IPv6 DMZ, see DMZ Port for The IPv6 address of the primary DNS server for IPv6 Traffic on page 118. the DMZ.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 93. Detailed Status screen information (continued) Item Description IP Address The IPv4 address of the WAN port. For information about configuring the IPv4 address of the WAN port, see Configure the IPv4 Internet Connection and WAN Settings on page 29. IPv6 Address The IPv6 address and prefix length of the WAN port.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table explains the fields of the VLAN Status screen: Table 94. VLAN Status screen information Item Description Profile Name The unique name for the VLAN that you have assigned on the Add VLAN Profile screen. VLAN ID The identifier for the VLAN that you have assigned on the Add VLAN Profile screen.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 View the VPN Connection Status, L2TP Users, and PPTP Users The Connection Status screens display a list of IPSec VPN connections, SSL VPN connections, and L2TP users who are logged in to the VPN firewall. To view the active IPSec VPN connections: Select VPN > Connection Status. The Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view: Figure 241.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The active user’s user name, group, and IP address are listed in the table with a time stamp indicating the time and date that the user connected. To disconnect an active connection, click the Disconnect table button to the right of the policy’s table entry. To view the active L2TP tunnel users: Select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen displays. (The following figure does not show any active users.) Figure 243.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The List of PPTP Active Users table lists each active connection with the information that is described in the following table. Table 96. PPTP Active Users screen information Item Description Username The name of the PPTP user that you have defined (see Configure User Accounts on page 310). Remote IP The remote client’s IP address. PPTP IP The IP address that is assigned by the PPTP server on the VPN firewall.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 246. View the Port Triggering Status To view the status of the port triggering feature: 1. Select Security > Port Triggering. The Port Triggering screen displays. (The following figure shows one rule in the Port Triggering Rules table as an example.) Figure 247. 2. Click the Status option arrow in the upper right of the Port Triggering screen. The Port Triggering Status pop-up screen displays.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 248. The Port Triggering Status screen displays the information that is described in the following table: Table 97. Port Triggering Status screen information Item Description # The sequence number of the rule onscreen. Rule The name of the port triggering rule that is associated with this entry. LAN IP Address The IP address of the computer or device that is using this rule. Open Ports The incoming ports that are associated with this rule.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 249. 2. In the Action column, click the Status button of the WAN interface for which you want to display the Connection Status pop-up screen. (The following figure shows a static IP address configuration.) Figure 250. The type of connection determines the information that is displayed on the Connection Status screen. The screen can display the information that is described in the following table: Table 98.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 98. Connection Status screen information for an IPv4 connection (continued) Item Description DHCP Server DHCP only. The DHCP server that was automatically detected. This field displays only if your ISP does not require a login and the IP address is acquired dynamically from your ISP. You have configured these ISP settings on the WAN IPv4 ISP Settings screen.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 252. The type of connection determines the information that is displayed on the Connection Status screen. The screen can display the information that is described in the following table: Table 99. Connection Status screen information for an IPv6 connection Item Description Connection Time The period that the VPN firewall has been connected through the WAN port.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 View the Attached Devices To view the attached devices on the LAN Groups screen: Select Network Configuration > LAN Settings > LAN Groups. The LAN Groups screen displays. (The following figure shows some examples in the Known PCs and Devices table.) Figure 253.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If the VPN firewall is rebooted, the data in the Known PCs and Devices table is lost until the VPN firewall rediscovers the devices. View the DHCP Log To review the most recent entries in the DHCP log: 1. Select Network Configuration > LAN Settings. The LAN Setup screen displays the IPv4 settings. (see Figure 51 on page 88). 2. Click the DHCP Log option arrow to the right of the LAN Setup tab. The DHCP Log screen displays: Figure 254.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Diagnostics Utilities • Send a Ping Packet • Trace a Route • Look Up a DNS Address • Display the Routing Tables • Capture Packets in Real Time • Reboot the VPN Firewall Remotely The VPN firewall provides diagnostic tools that help you analyze the status of the network and traffic conditions. Two types of tools are available: • Network diagnostic tools.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • IPv6. Select the IPv6 radio button. The Diagnostics screen displays the IPv6 settings: Figure 256. The various tasks that you can perform on the Diagnostics screen are described in the following sections. Send a Ping Packet Use the ping utility to send a ping packet request in order to check the connection between the VPN firewall and a specific IP address or FQDN.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Trace a Route A traceroute lists all routers between the source (the VPN firewall) and the destination IP address. To send a traceroute: 1. On the Diagnostics screen for IPv4, in the IP Address / Domain Name field of the Ping or Trace an IP Address section, enter the IP address or domain name that you want to trace; on the Diagnostics screen for IPv6, in the Domain Name field, enter the domain name that you want to trace (you cannot enter an IP address).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Capture Packets in Real Time Capturing packets can assist NETGEAR technical support in diagnosing packet transfer problems. You can also use a traffic analyzer to do your own problem diagnoses. To capture packets in real time: 1. In Router Options section of the screen, next to Capture Packets, click the Packet Trace button. The Capture Packets pop-up screen displays: Figure 257. 2.
10. 10 Troubleshooting This chapter provides troubleshooting tips and information for the VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the VPN firewall on? Go to Basic Functioning on page 393. • Have I connected the VPN firewall correctly? Go to Basic Functioning on page 393. • I cannot access the VPN firewall’s web management interface.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall’s diagnostic tools are described in Diagnostics Utilities on page 388. Basic Functioning • Power LED Not On • Test LED Never Turns Off • LAN or WAN Port LEDs Not On After you turn on power to the VPN firewall, verify that the following sequence of events occurs: 1. When power is first applied, verify that the Power LED is on. 2. After approximately 2 minutes, verify that: a. The Test LED is no longer lit. b.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 If all LEDs are still on more than several minutes minute after power-up, do the following: • Turn off the power, and turn it on again to see if the VPN firewall recovers. • Reset the VPN firewall’s configuration to factory default settings. Doing so sets the VPN firewall’s IP address to 192.168.1.1. This procedure is described in Restore the Default Configuration and Password on page 401.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • Make sure that you are using the SSL https://address login rather than the http://address login. • Make sure that your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure that the Java applet is loaded. • Try quitting the browser and launching it again. • Clear the browser’s cache. • Make sure that you are using the correct login information.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Troubleshoot the ISP Connection If your VPN firewall is unable to access the Internet, you should first determine whether the VPN firewall is able to obtain a WAN IP address from the ISP. Unless you were assigned a static IP address, your VPN firewall requests an IP address from the ISP. You can determine whether the request was successful using the web management interface. To check the WAN IP address: 1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 have to enter additional information. For more information, see Manually Configure an IPv4 Internet Connection on page 34. • Your ISP allows only one Ethernet MAC address to connect to the Internet, and might check for your computer’s MAC address. In this case, do one of the following: - Inform your ISP that you have a new network device, and ask them to use the VPN firewall’s MAC address.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • - Windows Server 2003, all versions - Windows Server 2003 R2, all versions - Linux and other UNIX-based systems with a correctly configured kernel - MAC OS X Make sure that IPv6 is enabled on the computer. On a computer that runs a Windows-based operating system, do the following (note that the steps might differ on the various Windows operating systems): a. Open the Network Connections screen or the Network and Sharing Center screen.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 c. Click or double-click View status of this connection. The Local Area Connection Status screen displays: Figure 259. d. Make sure that Internet access shows for the IPv6 connection. (The previous figure shows that there is no Internet access.) e. Click Details. The Network Connection Details screen displays: Figure 260.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 f. Make sure that an IPv6 address shows. The previous figure does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start, in this case, with FE80.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Test the Path from Your Computer to a Remote Device After verifying that the LAN path works correctly, test the path from your computer to a remote device. From the Windows Run dialog box, type: ping -n 10 in which is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 261. b. In the Backup / Restore Settings section of the screen, click the Default button. The VPN firewall reboots. During the reboot process, the Settings Backup and Firmware Upgrade screen might remain visible, or a status message with a counter might show the number of seconds left until the reboot process is complete. The reboot process takes about 160 seconds.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Address Problems with Date and Time The System Date & Time screen displays the current date and time of day (see Configure Date and Time Service on page 352). The VPN firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several network time servers on the Internet. Each entry in the log is stamped with the date and time of day. Problems with the date and time function can include: • Date shown is January 1, 2000.
A.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Factory Default Settings You can use the factory default Reset button on the rear panel to reset all settings to their factory defaults. This is called a hard reset (for more information, see Revert to Factory Default Settings on page 349): • To perform a hard reset, press and hold the factory default Reset button for approximately 8 seconds (until the Test LED blinks rapidly).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 100. VPN firewall factory default configuration settings (continued) Feature Default Behavior IPv4 LAN, DMZ, and routing settings LAN IPv4 address for the default VLAN 192.168.1.1 LAN IPv4 subnet mask for the default VLAN 255.255.255.0 VLAN 1 membership All ports LAN DHCP server for the default VLAN Enabled LAN DHCP IPv4 starting address for the default VLAN 192.168.1.100 LAN DHCP IPv4 ending address for the default VLAN 192.168.1.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 100. VPN firewall factory default configuration settings (continued) Feature Default Behavior Firewall and security settings Inbound LAN WAN rules (communications coming in from All traffic is blocked, except for traffic the Internet) in response to requests from the LAN. Outbound LAN WAN rules (communications from the LAN All traffic is allowed.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 100.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 100. VPN firewall factory default configuration settings (continued) Feature Default Behavior VPN IPsec Wizard: IKE policy settings for IPv4 gateway-to-client tunnels Exchange mode Aggressive ID type FQDN Local WAN ID remote.com Remote WAN ID local.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 100.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 101.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table shows the SSL VPN specifications for the VPN firewall: Table 103. VPN firewall SSL VPN specifications Setting Specification Network Management Web-based configuration and status monitoring Number of concurrent users supported 50 SSL versions SSLv3, TLS1.
B. Network Planning for Multiple WAN Ports B This appendix describes the factors to consider when planning a network using a firewall that has more than one WAN port.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 What to Consider Before You Begin • Cabling and Computer Hardware Requirements • Computer Network Configuration Requirements • Internet Configuration Requirements The VPN firewall is a powerful and versatile solution for your networking needs. To make the configuration process easier and to understand all of the choices that are available to you, consider the following before you begin: 1. Plan your network. a.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Customer premises VPN Firewall Route diversity WAN port 1 Physical facility 1 WAN port 2 Physical facility 2 ISP 1 Internet ISP 2 Figure 262. b. Contact a Dynamic DNS service, and register FQDNs for one or both WAN ports. 3. Plan your network management approach. • The VPN firewall can be managed remotely, but you need to enable remote management locally after each factory default reset.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Internet Configuration Requirements Depending on how your ISP sets up your Internet accounts, you need the following Internet configuration information to connect VPN firewall to the Internet: • Host and domain names • One or more ISP login names and passwords • ISP Domain Name Server (DNS) addresses • One or more fixed IP addresses (also known as static IP addresses) Where Do I Get the Internet Configuration Information? There are several ways you
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Internet Connection Information Print this page with the Internet connection information. Fill in the configuration settings that are provided to you by ISP. _________________________________________________________________________ • ISP login name. The login name and password are case-sensitive and need to be entered exactly as given by your ISP. For AOL customers, the login name is their primary screen name.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Overview of the Planning Process The areas that require planning when you use a firewall that has multiple WAN ports such as the VPN firewall include the following: • Inbound traffic (port forwarding, port triggering) • Outbound traffic (protocol binding) • Virtual private networks (VPNs) Two WAN ports can be configured on a mutually exclusive basis to do either of the following: • Auto-rollover for increased reliability • Load balance for outgoing
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Features such as multiple exposed hosts are not supported in auto-rollover mode because the IP addresses of each WAN port need to be in the identical range of fixed addresses. • Dual WAN ports in load balancing mode. Load balancing for a VPN firewall with dual WAN ports is similar to a single WAN gateway configuration when you specify the IP address.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 265. Inbound Traffic to a Dual WAN Port System The IP address range of the VPN firewall’s WAN port needs to be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled. Inbound Traffic: Dual WAN Ports for Improved Reliability In a dual WAN port auto-rollover configuration, the WAN port’s IP address always changes when a rollover occurs.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 267. Virtual Private Networks • VPN Road Warrior (Client-to-Gateway) • VPN Gateway-to-Gateway • VPN Telecommuter (Client-to-Gateway through a NAT Router) When implementing virtual private network (VPN) tunnels, you need to use a mechanism for determining the IP addresses of the tunnel endpoints.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 always changes. Therefore, the use of an FQDN is always required, even when the IP address of each WAN port is fixed. Note: When the VPN firewall’s WAN port rolls over, the VPN tunnel collapses and needs to be reestablished using the new WAN IP address. However, you can configure automatic IPSec VPN rollover to ensure that an IPSec VPN tunnel is reestablished. Figure 268. • Dual WAN ports in load balancing mode.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Road Warrior: Single-Gateway WAN Port (Reference Case) In a single WAN port gateway configuration, the remote computer client initiates the VPN tunnel because the IP address of the remote computer client is not known in advance. The gateway WAN port needs to act as the responder. Figure 270. The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, an FQDN needs to be used.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 272. The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (that is, WAN1 and WAN2) so that the remote computer client can determine the gateway IP address to establish or reestablish a VPN tunnel.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Gateway-to-Gateway The following situations exemplify the requirements for a gateway VPN firewall to establish a VPN tunnel with another gateway VPN firewall: • Single-gateway WAN ports • Redundant dual-gateway WAN ports for increased reliability (before and after rollover) • Dual-gateway WAN ports for load balancing VPN Gateway-to-Gateway: Single-Gateway WAN Ports (Reference Case) In a configuration with two single WAN port gateways, either gatew
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 275. The IP addresses of the gateway WAN ports can be either fixed or dynamic, but you always need to use an FQDN because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (that is, the IP address of the active WAN ports is not known in advance).
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 277. The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional. VPN Telecommuter (Client-to-Gateway through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and NAT router.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, you need to use an FQDN. If the IP address is fixed, an FQDN is optional.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Telecommuter: Dual-Gateway WAN Ports for Load Balancing In a gateway configuration with dual WAN ports that function in load balancing mode, the remote computer client initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance. The selected gateway WAN port needs to act as the responder.
C. System Logs and Error Messages C This appendix provides examples and explanations of system logs and error message. When applicable, a recommended action is provided.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Log Message Terms This appendix uses the following log message terms. Table 106. Log message terms Term Description [SRX5308] System identifier. [kernel] Message from the kernel. CODE Protocol code (for example, protocol is ICMP, type 8) and CODE=0 means successful reply. DEST Destination IP address of the machine to which the packet is destined. DPT Destination port. IN Incoming interface for packet. OUT Outgoing interface for packet.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 This section describes log messages that belong to one of the following categories: • Logs generated by traffic that is meant for the VPN firewall. • Logs generated by traffic that is routed or forwarded through the VPN firewall. • Logs generated by system daemons, the NTP daemon, the WAN daemon, and other daemons. For information about how to select many of these logs, see Configure Logging, Alerts, and Event Notifications on page 362.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 108. System logs: login/logout (continued) Recommended action None Message Nov 28 14:55:09 [SRX5308] [seclogin] Logout succeeded for user admin Nov 28 14:55:13 [SRX5308] [seclogin] Login succeeded: user admin from 192.168.1.214 Explanation Secure login/logout of user admin from host with IP address 192.168.1.214. Recommended action None System Startup This section describes the log message generated during system startup. Table 109.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 IPSec Restart This section describes logs that are generated when IPSec restarts. Table 112. System logs: IPSec restart Message Jan 23 16:20:44 [SRX5308] [wand] [IPSEC] IPSEC Restarted Explanation Log generated when the IPSec is restarted. This message is logged when IPSec restarts after any changes in the configuration are applied. Recommended action None Unicast, Multicast, and Broadcast Logs Table 113.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Multicast/Broadcast Logs Table 115. System logs: multicast/broadcast Message Jan 1 07:24:13 [SRX5308] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC= 192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 Explanation • • Recommended action None This multicast or broadcast packet is sent to the device from the WAN network. For other settings, see Table 106 on page 431. WAN Status This section describes the logs generated by the WAN component.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 This section describes the logs generated when the WAN mode is set to auto-rollover. Table 117.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 • PPPoE Idle Timeout Logs Table 118. System logs: WAN status, PPPoE idle time-out • Message Nov 29 13:12:46 [SRX5308] [pppd] Starting connection Nov 29 13:12:49 [SRX5308] [pppd] Remote message: Success Nov 29 13:12:49 [SRX5308] [pppd] PAP authentication succeeded Nov 29 13:12:49 [SRX5308] [pppd] local IP address 50.0.0.62 Nov 29 13:12:49 [SRX5308] [pppd] remote IP address 50.0.0.1 Nov 29 13:12:49 [SRX5308] [pppd] primary DNS address 202.153.32.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 119. System logs: WAN status, PPTP idle time-out (continued) • Explanation Message 1: Starting PPP connection process. Message 2: Message from the server for authentication success. Message 3: Local IP address assigned by the server. Message 4: Server side IP address. Message 6: The primary DNS server that is configured on the WAN ISP Settings screen. Message 7: The secondary DNS server that is configured on the WAN ISP Settings screen.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Log Messages This section explains logs that are generated by IPSec VPN and SSL VPN policies. These logs are generated automatically and do not need to be enabled. IPSec VPN Logs This section describes the log messages generated by IPSec VPN policies.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 122. System logs: IPSec VPN tunnel, tunnel establishment (continued) Messages 22 and 23 Messages 24 and 25 2000 Jan 1 04:13:40 [SRX5308] [IKE] Responding to new phase 2 negotiation: 20.0.0.2[0]<=>20.0.0.1[0]_ 2000 Jan 1 04:13:40 [SRX5308] [IKE] Using IPSec SA configuration: 192.168.11.0/24<->192.168.10.0/24_ 2000 Jan 1 04:13:41 [SRX5308] [IKE] IPSec-SA established: ESP/Tunnel 20.0.0.1->20.0.0.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 123. System logs: IPSec VPN tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel is reestablished (continued) Explanation Message 1: Informational exchange for deleting the payload. Message 2–6: Phase 2 configuration is purged and confirms that no phase 2 is bounded. Message 7: Informational exchange for deleting the payload. Message 8–11: Phase 1 configuration. The VPN tunnel is reestablished.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 125. System logs: IPSec VPN tunnel, Dead Peer Detection and keep-alive (default 30 sec) (continued) Explanation Message 1–4: After receiving a request for phase 1 negotiation, a Dead Peer Detection Vendor ID is received. Message 5: DPD is enabled. Message 7: The DPD vendor ID is set. Recommended action None Table 126.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 128. System logs: IPSec VPN tunnel, client policy behind a NAT device Message 3 Message 6 2000 Jan 1 01:54:21 [SRX5308] [IKE] Floating ports for NAT-T with peer 20.0.0.1[4500]_ 2000 Jan 1 01:54:21 [SRX5308] [IKE] NAT-D payload matches for 20.0.0.2[4500]_ 2000 Jan 1 01:54:21 [SRX5308] [IKE] NAT-D payload does not match for 20.0.0.1[4500]_ 2000 Jan 1 01:54:21 [SRX5308] [IKE] Ignore REPLAY-STATUS notification from 20.0.0.1[4500].
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 131. System logs: VPN log messages, port forwarding, LAN host and interface Message 2000 Jan 1 01:35:41 [SRX5308] [portforwarding] id=SRX5308 time="2000-1-1 1:35:41" fw=192.168.11.1 pri=6 rule=access-policy proto="Virtual Transport (Java)" src=192.168.11.2 user=sai dst=192.168.11.1 arg= "" op="" result="" rcvd="" msg="Virtual Transport (Java)" Explanation An SSL VPN tunnel through port forwarding is established for ID SRX5308 from the LAN host 192.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN to WAN Logs Table 133. Routing logs: LAN to WAN Message Nov 29 09:19:43 [SRX5308] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 Explanation • • Recommended action None This packet from LAN to WAN has been allowed by the firewall. For other settings, see Table 106 on page 431. LAN to DMZ Logs Table 134.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ to LAN Logs Table 137. Routing logs: DMZ to WAN Message Nov 29 09:44:06 [SRX5308] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC= 192.168.20.10 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • • Recommended action None This packet from DMZ to LAN has been dropped by the firewall. For other settings, see Table 106 on page 431. WAN to DMZ Logs Table 138.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Source MAC Filter Logs Table 140. Other event logs: source MAC filter logs Message 2000 Jan 1 06:40:10 [SRX5308] [kernel] SRC_MAC_MATCH[DROP] SRC MAC = 00:12:3f:34:41:14 IN=LAN OUT=WAN SRC=192.168.11.3 DST=209.85.153.103 PROTO=ICMP TYPE=8 CODE=0 Explanation Because MAC address 00:12:3f:34:41:14 of LAN host with IP address 192.168.11.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 143. DHCP logs Message 1 Message 2 Message 3 Message 4 Message 5 Message 6 Message 7 2000 Jan 1 07:27:28 [SRX5308] [dhcpd] Listening on LPF/eth0.1/00:11:22:78:89:90/192.168.11/24 2000 Jan 1 07:27:37 [SRX5308] [dhcpd] DHCPRELEASE of 192.168.10.2 from 00:0f:1f:8f:7c:4a via eth0.1 (not found) 2000 Jan 1 07:27:47 [SRX5308] [dhcpd] DHCPDISCOVER from 00:0f:1f:8f:7c:4a via eth0.1 2000 Jan 1 07:27:48 [SRX5308] [dhcpd] DHCPOFFER on 192.168.11.
D. Two-Factor Authentication D This appendix provides an overview of two-factor authentication, and an example of how to implement the WiKID solution.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Why Do I Need Two-Factor Authentication? • What Are the Benefits of Two-Factor Authentication? • What Is Two-Factor Authentication? In today’s market, online identity theft and online fraud continue to be one of the fast-growing cybercrime activities used by many unethical hackers and cybercriminals to steal digital assets for financial gains.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 This appendix focuses on and discusses only the first two factors, something you know and something you have. This security method can be viewed as a two-tiered authentication approach because it typically relies on what you know and what you have. A common example of two-factor authentication is a bank (ATM) card that has been issued by a bank institute: • The PIN to access your account is something you know. • The ATM card is something you have.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 2. A one-time passcode (something the user has) is generated. Figure 283. Note: The one-time passcode is time-synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration time. If a user does not use this passcode before it expires, the user needs to go through the request process again to generate a new OTP. 3.
E. Notification of Compliance N E T GEAR wired pro duc t s E Regulatory Compliance Information This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices. Failure of the end-user to comply with the applicable requirements may result in unlawful operation and adverse action against the end-user by the applicable National regulatory authority.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 FCC Radio Frequency Interference Warnings & Instructions This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Index Numerics IKE policy settings 235 Mode Config settings 252 SNMPv3 user settings 346 VPN policy settings 243–244 alternate network, multicast pass-through 175 application level gateway (ALG) 176 ARP (Address Resolution Protocol) broadcasting, configuring 94 requests 96 arrows, option (web management interface) 24 attached devices monitoring with SNMP 342 viewing 386 attack checks 170–172 authentication for IPSec VPN pre-shared key 205, 210, 213, 236 RSA signature 236 for L2TP 273 for PPTP 270 for SSL V
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv6 configuring 69 described 68 VPN IPSec 202, 206, 214 autosensing port speed 74 See also MIAS (Microsoft Internet Authentication Service) RADIUS authentication WiKID classical routing (IPv4), configuring 30 CLI (command-line interface) 19, 342 client identifier 38 command-line interface (CLI) 19, 342 community strings, SNMP 344 compatibility, protocols and standards 410 compliance 453 concatenating IPv6 addresses 65 configuration file, managing 347–349
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ port IPv4 address and subnet mask 116 IPv6 address and prefix length 120 settings 115 domain, users 303 DPD settings 268 factory 20, 349, 401 failure detection settings IPv4 47 IPv6 70 firewall rules 136 group, users 307 idle time-out periods groups 309 L2TP server 273 PPTP server 270 users 312 IPSec VPN Wizard 205 IPv4 gateway 38 IPv4 routing mode 29 IPv6 gateway 59 IPv6 routing mode 53 LAN group 98 LAN IPv6 address 105 LAN IPv6 prefix length 105 load
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 IKE policies 237 SSL VPN settings 286 server IPv6 addresses broadband settings 59, 63 DMZ settings 121 LAN settings 106 SSL VPN settings 286 DNS logs, viewing 366 documentation, online 403 domain name blocking 187 Domain Name Server. See DNS.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN-to-DMZ rules 163 LAN-to-WAN rules 151 order of precedence 144 overview 140 QoS profile, ToS 143 scheduling 189 settings 141–144 inbound traffic, bandwidth 182 increasing traffic overview 332–335 port forwarding 140 individual bandwidth allocation, WAN traffic 79 installation, verifying 82 instant messaging, blocking (rule example) 168 interface specifications 411 Interior Gateway Protocol (IGP) 129 Internet configuration requirements 416 form to save co
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 DHCP, address pool 117 DMZ port 116 DNS servers 39, 91, 117 dynamically assigned 38 errors 25 ISATAP tunnel address 66 L2TP server 273 MAC bindings 193 port forwarding, SSL VPN 283 PPTP server 270 requirements 25 reserved 101 secondary LAN 94–96 secondary WAN 47 SIIT address 68 SSL VPN clients, configuring 287 policies, configuring 294 resources, configuring 290 static or permanent 33, 38 subnet mask, default 90 subnet mask, DMZ port 116 VPN tunnels 206, 21
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 J limits IPv4 sessions 173 LAN traffic volume 360 WAN traffic volume 357 link-local addresses, IPv6 102 link-local advertisements, IPv6 DMZ, configuring for 122 LAN, configuring for 109 load balancing mode bandwidth capacity 329 configuring 41–42 DDNS 50 described 40 VPN IPSec 202 local area network. See LAN.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 management default settings 410 maximum transmission unit (MTU) default 73 IPv6 DMZ packets 125 IPv6 LAN packets 111 MCHAP (Microsoft CHAP) 270, 273, 305 MD5 IKE polices 235 Mode Config setting 253 RIP-2 130 self-signed certificate requests 324 SNMPv3 users settings 346 VPN policies 244 Media Access Control. See MAC addresses. membership, ports, VLAN 377 menu (web management interface) 24 Message-Digest algorithm 5. See MD5.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Point-to-Point Tunneling Protocol (PPTP) server settings 269 settings 33, 36 policies IKE exchange mode 232, 234 ISAKMP identifier 232, 235 managing 231 Mode Config operation 234, 253 XAUTH 237 IPSec VPN automatically generated 238 groups, configuring 307 managing 231 manually generated 238 SSL VPN managing 291 settings 294 policy hierarchy 291 pools, Mode Config operation 252 port filtering reducing traffic 330 rules 136 port forwarding firewall rules 136,
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 protection from common attacks 170–172 protocol binding, configuring 41–44 protocols compatibilities 410 RIP 15 service numbers 177 traffic volume by protocol 358 PSK. See pre-shared key.
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 remote users, assigning addresses (Mode Config) 250 requirements, hardware 415 reserved IPv4 addresses, configuring 101 Reset button 20 resources, SSL VPN, configuring 288–291 restarting traffic meter (or counter) LAN traffic 360 WAN traffic 357 restoring configuration file 349 retry interval, DNS lookup or ping 75 IPv4 47 IPv6 70 RFC 1349 184 RFC 1700 177 RFC 2865 247 RIP (Routing Information Protocol), configuring 129–131 Road Warrior (client-to-gateway)
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 SPI (stateful packet inspection) 14, 135 split tunnel, SSL VPN 285 spoofing MAC addresses 397 SSL certificate, warning and downloading 22 SSL VPN ActiveX web cache cleaner 281 ActiveX-based client 276 authentication 306 cache control 280 client IP address range and routes 285–288 configuration steps 276 connection status 299 FQDNs, configuring port forwarding 277 logs 300 network resources, configuring 288–291 overview 14 policies managing 291 settings 294
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 rate-limiting 75 reducing 330–332 volume by protocol 358 volume, limiting LAN 360 WAN 357 Transmission Control Protocol (TCP) 198 traps, SNMP 344 troubleshooting basic functioning 393 browsers 395 configuration settings, using sniffer 394 date and time settings 403 defaults 395 IP addresses, requirements 25 IPv6 connection 397 ISP connection 396 LEDs 393–394 NTP 403 testing your setup 401 time-out error 395 web management interface 394 trusted certificates
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 FQDNs 202–203, 421 FQDNs, configuring endpoints 206, 210, 213, 235 gateway-to-gateway auto-rollover 425 load balancing 426 single WAN port mode 425 gateway-to-gateway, using IPSec VPN Wizard 204, 208 IKE policies exchange mode 232, 234 ISAKMP identifier 232, 235 managing 231 Mode Config operation 234, 253 XAUTH 237 increasing traffic 335 IP addresses client-to-gateway (wizard) 214 gateway-to-gateway (wizard) 206, 210 local and remote 235, 243 IPSec VPN logs
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN WAN outbound rules, configuring 147, 330 locking yourself out configuring an exposed host 167 disabling local authentication 307 disabling secure HTTP management 341 enabling MAC filtering 192 resetting to factory defaults 350, 402 restoring settings from a backup file 349 SSL certificate message 22 web component blocking 187 web management interface described 23 troubleshooting 394 weight 410 weighted load balancing 42 WiKID authentication, overview 44